CVE-2026-54353

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.9

Description Authenticated users with automation permissions can bypass the Server-Side Request Forgery (SSRF) blacklist through DNS rebinding. This occurs because the outbound fetch flow resolves the DNS twice: once during blacklist validation and again during the actual socket connection via node-fetch. Since the validated IP addresses are not pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private or internal IP during the actual connection. This creates a Time-of-Check to Time-of-Use (TOCTOU) condition, resulting in a non-blind SSRF primitive against internal services reachable from the host, including loopback, RFC1918 ranges, and cloud metadata endpoints. The issue affects several components, including outgoing webhooks and integrations with Slack, Discord, Make, Zapier, n8n, AI extract, and object-store fetches. On cloud deployments without IMDSv2 enforcement, this could expose temporary IAM credentials.

Recommendations Update Budibase to version 3.39.9.