CVE-2026-48153: Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata

June 22, 2026

fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no scheme or host restriction. Alice, a builder, points an OAuth2 config at http://169.254.169.254/... or http://127.0.0.1:5984/; the server connects and returns response-body fragments in the validation result.

References

github.com/Budibase/budibase/security/advisories/GHSA-4q6h-8p4v-67vq
github.com/advisories/GHSA-4q6h-8p4v-67vq
nvd.nist.gov/vuln/detail/CVE-2026-48153

Code Behaviors & Features

Detect and mitigate CVE-2026-48153 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →