PT-2026-39904 · Budibase+2 · Budibase
Jeongbeannnn
·
Published
2026-05-11
·
Updated
2026-05-27
·
CVE-2026-45061
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Budibase versions prior to 3.35.10
Description
The Plugin URL upload endpoint "POST /api/plugin" contains a flaw in how it validates submitted URLs. It uses a simple substring check to verify if the
url variable contains ".tar.gz", which can be bypassed by placing that string anywhere in the path, query string, or fragment. This allows the URL to proceed to the fetchWithBlacklist() function without proper validation of the host, scheme, or path, leading to Server-Side Request Forgery (SSRF). SSRF is a vulnerability where an attacker can force the server to make requests to an unintended location, such as internal services.This issue can be exploited in two primary scenarios: when the
BLACKLIST IPS configuration is empty, bypassing the default SSRF blacklist, or when the plugin server follows HTTP redirects from an external URL to an internal target due to the default behavior of node-fetch with redirect: 'follow'. This could allow access to internal network services, such as AWS/GCP/Azure IMDS for credential theft, CouchDB, or Redis.Recommendations
Update to version 3.35.10.
As a temporary workaround, restrict access to the "POST /api/plugin" endpoint to only trusted users with the Global Builder role.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Budibase