CVE-2026-33226: Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview

March 18, 2026

The REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet — including cloud metadata endpoints (AWS/GCP/Azure), internal databases, Kubernetes APIs, and other pods on the internal network. On GCP this leads to OAuth2 token theft with cloud-platform scope (full GCP access). On any deployment it enables full internal network enumeration.

References

github.com/Budibase/budibase
github.com/Budibase/budibase/security/advisories/GHSA-4647-wpjq-hh7f
github.com/advisories/GHSA-4647-wpjq-hh7f
nvd.nist.gov/vuln/detail/CVE-2026-33226

Code Behaviors & Features

Detect and mitigate CVE-2026-33226 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →