PT-2026-41397 · Npm+2 · @Budibase/Server+1
Sajdakabir
·
Published
2026-05-15
·
Updated
2026-05-27
·
CVE-2026-45715
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Budibase versions prior to 3.38.1
Description
The REST datasource integration in the
packages/server/src/integrations/rest.ts file follows HTTP redirects without re-validating the target URL against the IP blacklist. This allows an authenticated Builder to bypass security controls and access internal services, such as cloud metadata and databases, by redirecting requests through an attacker-controlled server. The issue occurs because the req() function does not set the redirect: "manual" option, causing the system to automatically follow HTTP 301, 302, and 307 redirects without performing a secondary blacklist check on the redirect destination.Recommendations
Update to version 3.38.1.
As a temporary workaround, restrict access to the REST datasource integration to minimize the risk of internal service exposure.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Budibase/Server
Budibase