CVE-2026-31818CRITICAL 9.9EPSS p29.3%

CVE-2026-31818CVE-2026-31818

Description

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS0.38% probability of exploitation · percentile 29.3% · 2026-06-18T12:00:27Z
Published2026-04-03
Last modified2026-04-08

Underlying weaknesses· 2

CWE-918CWE-1188

References

  1. https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732
  2. https://github.com/Budibase/budibase/pull/18236
  3. https://github.com/Budibase/budibase/releases/tag/3.33.4
  4. https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45

2

TypeTargetConfidenceTier
WeaknessInitialization of a Resource with an Insecure Defaultcwe-11880%live
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-31816
CVE
CVE-2026-35218
CVE
CVE-2026-42239
CVE
CVE-2026-41428
CVE
CVE-2026-33226
CVE
CVE-2026-35216
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.