CVE-2026-48128

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.0

Description The executeQuery automation step accepts a queryId from automation step inputs and passes it to the query execution controller without additional validation. When a REST datasource is configured to target internal infrastructure, this allows for server-side request forgery (SSRF), a flaw where the server is coerced into making outbound HTTP requests to destinations influenced by an attacker. The automation output then returns the response, which can expose internal service data.

Recommendations Update to version 3.39.0.