PT-2026-41394 · Npm+2 · @Budibase/Server+1
Morimori-Dev
·
Published
2026-05-15
·
Updated
2026-05-27
·
CVE-2026-45548
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Budibase versions prior to 3.34.8
Description
An authenticated user can trigger server-side requests to internal network addresses. This occurs because the
processUrlFile() function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly, bypassing the IP blacklist validation applied to other automation steps. This allows access to cloud metadata endpoints, internal network scanning, and access to internal APIs. The fileUrl variable is the vulnerable parameter used to initiate these requests.Recommendations
Update to version 3.34.8.
As a temporary workaround, restrict the use of the AI Extract File step with the source set to URL until the update is applied.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Budibase/Server
Budibase