Budibase SSRF Flaw: Default Config Leaves Open-Source Low-Code Exposed
CVE Notify is flagging a critical Server-Side Request Forgery (SSRF) vulnerability impacting the open-source low-code platform, Budibase. The flaw, identified as CVE-2026-31818, affects versions prior to 3.33.4. According to CVE Notify, the issue stems from Budibaseโs REST datasource connector where the built-in SSRF protection mechanism is rendered useless. The problem? The crucial BLACKLIST_IPS environment variable isnโt set by default in official deployment configurations. This oversight means the blacklist function always returns false, allowing unrestricted requests to bypass security checks.
This is a classic case of a security feature being present but not properly enabled out-of-the-box. CVE Notify highlights that when BLACKLIST_IPS is empty, the SSRF protection is effectively nullified. Attackers could potentially leverage this to target internal network resources or external services that the Budibase server has access to, leading to data exfiltration or further network compromise. The good news is that this has been patched in Budibase version 3.33.4.
What This Means For You
- For organizations using Budibase, immediately verify if the `BLACKLIST_IPS` environment variable is explicitly configured in your deployment, even if you've updated to version 3.33.4, to ensure the SSRF protection is actively enforced.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-31818 | SSRF | Budibase versions prior to 3.33.4, REST datasource connector, SSRF protection mechanism ineffective due to BLACKLIST_IPS environment variable not being set by default. |
| CVE-2026-31818 | Misconfiguration | Budibase versions prior to 3.33.4, BLACKLIST_IPS environment variable not set by default in official deployment configurations, leading to SSRF vulnerability. |
๐ Recommended Tools
Found this interesting? Follow us to stay ahead.