CVE-2026-33226

Name of the Vulnerable Software and Affected Versions Budibase versions 3.30.6 and prior

Description Budibase is a low code platform that allows the creation of internal tools, workflows, and admin panels. A flaw exists in the REST datasource query preview endpoint (POST /api/queries/preview) where server-side HTTP requests are made to any URL supplied by the user in the fields.path parameter without proper validation. This allows an authenticated administrator to access internal services not exposed to the internet, including cloud metadata endpoints (AWS/GCP/Azure), internal databases, Kubernetes APIs, and other pods on the internal network. On Google Cloud Platform (GCP), this can lead to OAuth2 token theft with the cloud-platform scope, granting full GCP access. In any deployment, it enables full internal network enumeration. The vulnerable handler is located in packages/server/src/api/controllers/query.ts (preview()). The fields.path parameter is passed directly to the REST HTTP client without IP or hostname validation, lacking blocklists for loopback addresses, RFC 1918 ranges, link-local/cloud metadata addresses, and internal Kubernetes DNS.

Recommendations Versions prior to 3.30.6 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.