PT-2026-41394 · Npm+2 · @Budibase/Server+1

Morimori-Dev

·

Published

2026-05-15

·

Updated

2026-05-27

·

CVE-2026-45548

CVSS v3.1

7.7

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.34.8
Description An authenticated user can trigger server-side requests to internal network addresses. This occurs because the processUrlFile() function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly, bypassing the IP blacklist validation applied to other automation steps. This allows access to cloud metadata endpoints, internal network scanning, and access to internal APIs. The fileUrl variable is the vulnerable parameter used to initiate these requests.
Recommendations Update to version 3.34.8. As a temporary workaround, restrict the use of the AI Extract File step with the source set to URL until the update is applied.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45548
GHSA-RPJ4-7X2V-WJRF

Affected Products

@Budibase/Server
Budibase