PT-2026-39904 · Budibase+2 · Budibase

Jeongbeannnn

·

Published

2026-05-11

·

Updated

2026-05-27

·

CVE-2026-45061

CVSS v3.1

7.7

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.35.10
Description The Plugin URL upload endpoint "POST /api/plugin" contains a flaw in how it validates submitted URLs. It uses a simple substring check to verify if the url variable contains ".tar.gz", which can be bypassed by placing that string anywhere in the path, query string, or fragment. This allows the URL to proceed to the fetchWithBlacklist() function without proper validation of the host, scheme, or path, leading to Server-Side Request Forgery (SSRF). SSRF is a vulnerability where an attacker can force the server to make requests to an unintended location, such as internal services.
This issue can be exploited in two primary scenarios: when the BLACKLIST IPS configuration is empty, bypassing the default SSRF blacklist, or when the plugin server follows HTTP redirects from an external URL to an internal target due to the default behavior of node-fetch with redirect: 'follow'. This could allow access to internal network services, such as AWS/GCP/Azure IMDS for credential theft, CouchDB, or Redis.
Recommendations Update to version 3.35.10. As a temporary workaround, restrict access to the "POST /api/plugin" endpoint to only trusted users with the Global Builder role.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45061
GHSA-XH5J-727M-W6GG

Affected Products

Budibase