Budibase SSRF Flaw: Default Config Leaves Open-Source Low-Code Exposed
CVE Notify is flagging a critical Server-Side Request Forgery (SSRF) vulnerability impacting the open-source low-code platform, Budibase. The flaw, identified as CVE-2026-31818, affects versions prior to 3.33.4. According to CVE Notify, the issue stems from Budibaseβs REST datasource connector where the built-in SSRF protection mechanism is rendered useless. The problem? The crucial BLACKLIST_IPS environment variable isnβt set by default in official deployment configurations. This oversight means the blacklist function always returns false, allowing unrestricted requests to bypass security checks.
This is a classic case of a security feature being present but not properly enabled out-of-the-box. CVE Notify highlights that when BLACKLIST_IPS is empty, the SSRF protection is effectively nullified. Attackers could potentially leverage this to target internal network resources or external services that the Budibase server has access to, leading to data exfiltration or further network compromise. The good news is that this has been patched in Budibase version 3.33.4.
What This Means For You
- For organizations using Budibase, immediately verify if the `BLACKLIST_IPS` environment variable is explicitly configured in your deployment, even if you've updated to version 3.33.4, to ensure the SSRF protection is actively enforced.
Related ATT&CK Techniques
π‘οΈ Detection Rules
1 rule Β· 6 SIEM formats1 detection rule mapped to MITRE ATT&CK. Free Sigma YAML below.
Web Application Exploitation Attempt β CVE-2026-31818
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-31818 | SSRF | Budibase versions prior to 3.33.4, REST datasource connector, SSRF protection mechanism ineffective due to BLACKLIST_IPS environment variable not being set by default. |
| CVE-2026-31818 | Misconfiguration | Budibase versions prior to 3.33.4, BLACKLIST_IPS environment variable not set by default in official deployment configurations, leading to SSRF vulnerability. |
Related coverage
Daily Security Digest β 2026-05-22
13 vulnerability disclosures (5 Critical, 8 High) and 14 curated intelligence stories from 6 sources.
WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content
CVE-2026-9011 β The Ditty β Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...
CVE-2026-8692 β The Vedrixa Forms β User Registration Form, Signup Form &
CVE-2026-8692 β The Vedrixa Forms β User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass...