How is CVE-2026-48146 exploited?

Network reachability (required): The attacker must reach the Budibase server over the network to interact with the OAuth2 configuration interface. Authentication (required): A low-privilege account is sufficient; the attacker must hold the BUILDER role within the Budibase instance. Victim interaction (not-required): No victim interaction is needed; the attacker submits the malicious OAuth2 URL directly through the application interface. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors are required to redirect the token fetch to an internal target.

What is the impact of CVE-2026-48146?

Reads responses from internal HTTP services the Budibase server can reach, such as CouchDB credentials or database contents. Reads cloud instance metadata endpoints (for example, AWS IMDSv1 or GCP metadata server), potentially exposing IAM credentials or environment secrets. Exfiltrates any data returned by internal services on ports reachable from the Budibase container's network namespace. Confidentiality impact is rated High; integrity and availability of services are not directly affected by this vulnerability.

Back to search

HIGHCVE-2026-48146Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-48146: Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection

Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used in every other outbound HTTP call (automation steps, plugin downloads, object store), but was not applied to the OAuth2 token endpoint. A user with BUILDER role can point the OAuth2 token URL to internal services (CouchDB, cloud metadata) to exfiltrate sensitive data. This vulnerability is fixed in 3.39.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a server-side request forgery (SSRF) vulnerability in Budibase, an open-source low-code platform. The OAuth2 token fetch function makes outbound HTTP requests using raw fetch() with no SSRF protection, allowing an authenticated user with BUILDER role to point the OAuth2 token URL at internal services such as CouchDB or cloud metadata endpoints. Successful exploitation lets an attacker read sensitive data from internal network services that the Budibase server can reach. A fix was introduced in Budibase 3.39.0, and a patched-image rebuild is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Budibase images, in both registry scans and active CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 7.7 HIGH and weights it against each environment's compliance policy, then routes the finding to the appropriate team inbox within the customer organization based on configured ownership rules.

Available

Patch

No upstream fix version has been published for this CVE yet. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Budibase publishes a fix upstream, at which point auto-remediation customers will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Budibase server over the network to interact with the OAuth2 configuration interface.
AuthenticationRequired
A low-privilege account is sufficient; the attacker must hold the BUILDER role within the Budibase instance.
Victim interactionNot required
No victim interaction is needed; the attacker submits the malicious OAuth2 URL directly through the application interface.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required to redirect the token fetch to an internal target.

Blast Radius

Reads responses from internal HTTP services the Budibase server can reach, such as CouchDB credentials or database contents.
Reads cloud instance metadata endpoints (for example, AWS IMDSv1 or GCP metadata server), potentially exposing IAM credentials or environment secrets.
Exfiltrates any data returned by internal services on ports reachable from the Budibase container's network namespace.
Confidentiality impact is rated High; integrity and availability of services are not directly affected by this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: detection is active for all customer images that package Budibase versions prior to 3.39.0, matched within minutes of CVE publication. Because no upstream fix version has been published at this time, HarborGuard monitors the Budibase advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues once the upstream fix is available. In the interim, compensating controls worth considering include network-policy rules that restrict outbound HTTP from the Budibase server container to known-good destinations only, blocking access to link-local ranges (169.254.0.0/16) and internal RFC-1918 addresses, and disabling BUILDER-role OAuth2 configuration if that feature is not actively used in your deployment.

See how HarborGuard automates this

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Budibase / budibase
< 3.39.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

https://github.com/Budibase/budibase/security/advisories/GHSA-g6qx-g4pr-92v7