How is CVE-2026-45715 exploited?

Network reachability (required): The attacker must reach the Budibase server over the network to submit REST datasource requests; the vulnerable endpoint is exposed as a networked service. Authentication (required): A low-privilege Builder account is sufficient; no administrative credentials are needed, but the attacker must be authenticated. Victim interaction (not-required): No victim interaction is needed; the attacker triggers the redirect entirely through their own requests to the Budibase API. Attack complexity (info): Attack complexity is low - the exploit is reliable and condition-free, requiring only that the attacker control a server capable of issuing an HTTP redirect to a target internal address.

What is the impact of CVE-2026-45715?

Reads cloud provider instance metadata endpoints (such as AWS IMDSv1 at 169.254.169.254), potentially exposing IAM role credentials tied to the host instance. Reads configuration data or query results from internal databases and services that are reachable from the Budibase server but not intended to be exposed externally. Reads internal HTTP APIs (monitoring endpoints, admin panels, service discovery endpoints) that rely on network-level isolation rather than authentication for protection.

Back to search

HIGHCVE-2026-45715Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-45715: Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration

Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server. This vulnerability is fixed in 3.38.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a server-side request forgery (SSRF) bypass affecting Budibase, an open-source low-code platform. An authenticated user with Builder-level access can exploit the REST datasource integration by pointing it at an attacker-controlled server that issues an HTTP redirect to an internal address; Budibase follows the redirect without re-checking its IP blocklist, so the request reaches internal services such as cloud metadata endpoints or internal databases. Successful exploitation grants read access to sensitive internal resources, including cloud provider metadata that can expose instance credentials. No fix version has been published yet; HarborGuard is tracking the upstream advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-45715 is available across every HarborGuard environment - the CVE is ingested from upstream feeds (including the GitHub Advisory Database) within minutes of publication and matched against all customer images, including custom-built images that bundle Budibase server components.

Available

Triage

HarborGuard scores this finding at CVSS 7.7 HIGH (vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and is capable of weighting it further against each environment's compliance policy, routing the alert to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Budibase advisory each ingest cycle and will make a patched-image rebuild available the moment version 3.38.1 or a later fix is released upstream. For customers with auto-remediation enabled, the rebuild, regression run, and pull request against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Budibase server over the network to submit REST datasource requests; the vulnerable endpoint is exposed as a networked service.
AuthenticationRequired
A low-privilege Builder account is sufficient; no administrative credentials are needed, but the attacker must be authenticated.
Victim interactionNot required
No victim interaction is needed; the attacker triggers the redirect entirely through their own requests to the Budibase API.
Attack complexityDetail
Attack complexity is low - the exploit is reliable and condition-free, requiring only that the attacker control a server capable of issuing an HTTP redirect to a target internal address.

Blast Radius

Reads cloud provider instance metadata endpoints (such as AWS IMDSv1 at 169.254.169.254), potentially exposing IAM role credentials tied to the host instance.
Reads configuration data or query results from internal databases and services that are reachable from the Budibase server but not intended to be exposed externally.
Reads internal HTTP APIs (monitoring endpoints, admin panels, service discovery endpoints) that rely on network-level isolation rather than authentication for protection.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet for CVE-2026-45715, HarborGuard monitors the Budibase advisory on every ingest cycle and will surface a patched-image rebuild the moment version 3.38.1 is published upstream. In the interim, compensating controls worth considering include applying a network policy that restricts egress from Budibase server pods to explicitly allowed external CIDR ranges only, blocking access to link-local ranges (169.254.0.0/16) at the host or cloud-security-group layer, and disabling IMDSv1 in favor of IMDSv2 (which requires a PUT-initiated session token) on any cloud instances running Budibase. For customers with auto-remediation enabled, the moment a fix version becomes available HarborGuard will trigger a rebuild, run regression tests, and open a pull request against affected workloads. Customers managing their own remediation timeline will see the finding in their dashboard with the compensating-control suggestions noted above.

See how HarborGuard automates this

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Budibase / budibase
< 3.38.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References