CVE-2026-31818

CriticalPublic PoC

Published: 03 April 2026

Published

03 April 2026

Modified

08 April 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0001 2.6th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31818 is a critical-severity SSRF (CWE-918) vulnerability in Budibase Budibase. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-4 Information Flow Enforcement good match

prevent

Enforces approved authorizations for controlling outbound information flows from the Budibase server, preventing SSRF exploitation via the REST datasource connector to unauthorized internal destinations.

CM-6 Configuration Settings good match

prevent

Establishes and enforces secure configuration settings such as the BLACKLIST_IPS environment variable to activate SSRF protections in official Budibase deployments.

SI-10 Information Input Validation good match

prevent

Validates user-supplied URLs in the REST datasource connector inputs to block malicious destinations that enable SSRF attacks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1018 Remote System Discovery Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

T1522 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

Why these techniques?

SSRF in network-accessible Budibase app (T1190) directly enables internal host/service discovery (T1018/T1046) and cloud metadata access (T1522) by bypassing IP restrictions and allowing forged server-side requests to otherwise inaccessible resources.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not…

set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.

Deeper analysisAI

CVE-2026-31818 is a server-side request forgery (SSRF) vulnerability in Budibase, an open-source low-code platform, affecting versions prior to 3.33.4. The issue resides in the REST datasource connector, where the SSRF protection mechanism—an IP blacklist enforced via the BLACKLIST_IPS environment variable—is rendered ineffective. This variable is not set by default in any official deployment configurations, causing the blacklist function to unconditionally return false when empty and allow all requests without restriction. The vulnerability is associated with CWE-918 (SSRF) and CWE-1188.

The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N), indicating it is exploitable over the network with low attack complexity, requiring only low privileges, no user interaction, and resulting in a scope change with high impacts to confidentiality and integrity. Low-privileged authenticated users can exploit this to forge requests from the Budibase server, potentially accessing or manipulating internal network resources, services, or metadata that would otherwise be inaccessible.

Budibase has patched the vulnerability in version 3.33.4. Mitigation involves upgrading to this version or later. Official resources include the GitHub security advisory at GHSA-7r9j-r86q-7g45, the patching commit (5b0fe83d4ece52696b62589cba89ef50cc009732), pull request #18236, and release notes for v3.33.4.

Details

CWE(s): CWE-918 CWE-1188

Affected Products

budibase

≤ 3.33.4

CVEs Like This One

CVE-2026-33226Same product: Budibase Budibase

CVE-2026-25737Same product: Budibase Budibase

CVE-2026-41428Same product: Budibase Budibase

CVE-2026-31816Same product: Budibase Budibase

CVE-2026-35216Same product: Budibase Budibase

CVE-2026-25044Same product: Budibase Budibase

CVE-2026-25041Same product: Budibase Budibase

CVE-2026-35214Same product: Budibase Budibase

CVE-2026-30240Same product: Budibase Budibase

CVE-2026-27702Same product: Budibase Budibase

References

https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732
Patch · security-advisories@github.com
https://github.com/Budibase/budibase/pull/18236
Issue Tracking, Patch · security-advisories@github.com
https://github.com/Budibase/budibase/releases/tag/3.33.4
Product, Release Notes · security-advisories@github.com
https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com