CVE-2026-48128

Sažetak

Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-side request forgery path where automation execution causes the Budibase server to make outbound HTTP requests to attacker-influenced destinations. The automation output then returns the response, potentially exposing internal service data. This vulnerability is fixed in 3.39.0.

Reference

https://github.com/Budibase/budibase/security/advisories/GHSA-6964-pp88-6wp9
https://github.com/Budibase/budibase/security/advisories/GHSA-6964-pp88-6wp9

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

27-05-2026 - 20:16

Objavljeno

27-05-2026 - 18:16