Description

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.

INFO

Published Date :

2026-04-03T15:41:13.955Z

Last Modified :

2026-04-03T20:04:33.012Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31818 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31818.

URL Resource
https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732 cve-icon cve-icon
https://github.com/Budibase/budibase/pull/18236 cve-icon cve-icon
https://github.com/Budibase/budibase/releases/tag/3.33.4 cve-icon cve-icon
https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact