CVE-2026-31818: Budibase: Server-Side Request Forgery via REST Connector with Empty Default `Blacklist`
| Field | Value |
|---|---|
| Title | SSRF via REST Connector with Empty Default Blacklist Leading to Full Internal Data Exfiltration |
| Product | Budibase |
| Version | 3.30.6 (latest stable as of 2026-02-25) |
| Component | REST Datasource Integration + Backend-Core Blacklist Module |
| Severity | Critical |
| Attack Vector | Network |
| Privileges Required | Low (Builder role, or QUERY WRITE for execution of pre-existing queries) |
| User Interaction | None |
| Affected Deployments | All self-hosted instances without explicit BLACKLIST_IPS configuration (believed to be the vast majority) |
References
- github.com/Budibase/budibase
- github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732
- github.com/Budibase/budibase/pull/18236
- github.com/Budibase/budibase/releases/tag/3.33.4
- github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45
- github.com/advisories/GHSA-7r9j-r86q-7g45
- nvd.nist.gov/vuln/detail/CVE-2026-31818
Code Behaviors & Features
Detect and mitigate CVE-2026-31818 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →