CVE-2026-48146

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.0

Description The OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses a raw fetch(config.url) call without Server-Side Request Forgery (SSRF) protection. SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location. While a safe wrapper fetchWithBlacklist() is used for other outbound HTTP calls, it was not applied to the OAuth2 token endpoint. A user with the BUILDER role can point the OAuth2 token URL to internal services, such as CouchDB or cloud metadata, to exfiltrate sensitive data.

Recommendations Update to version 3.39.0.