Cyber Resilience

CVE-2026-31818

CriticalPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0038 29.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31818 is a critical-severity SSRF (CWE-918) vulnerability in Budibase Budibase. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-31818 is a server-side request forgery (SSRF) vulnerability in Budibase, an open-source low-code platform, affecting versions prior to 3.33.4. The issue resides in the REST datasource connector, where the SSRF protection mechanism—an IP blacklist enforced via the BLACKLIST_IPS environment variable—is rendered ineffective. This variable is not set by default in any official deployment configurations, causing the blacklist function to unconditionally return false when empty and allow all requests without restriction. The vulnerability is associated with CWE-918 (SSRF) and CWE-1188.

The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N), indicating it is exploitable over the network with low attack complexity, requiring only low privileges, no user interaction, and resulting in a scope change with high impacts to confidentiality and integrity. Low-privileged authenticated users can exploit this to forge requests from the Budibase server, potentially accessing or manipulating internal network resources, services, or metadata that would otherwise be inaccessible.

Budibase has patched the vulnerability in version 3.33.4. Mitigation involves upgrading to this version or later. Official resources include the GitHub security advisory at GHSA-7r9j-r86q-7g45, the patching commit (5b0fe83d4ece52696b62589cba89ef50cc009732), pull request #18236, and release notes for v3.33.4.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not…

more

set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in network-accessible Budibase app (T1190) directly enables internal host/service discovery (T1018/T1046) and cloud metadata access (T1522) by bypassing IP restrictions and allowing forged server-side requests to otherwise inaccessible resources.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33226Same product: Budibase Budibase
CVE-2026-25737Same product: Budibase Budibase
CVE-2026-41428Same product: Budibase Budibase
CVE-2026-31816Same product: Budibase Budibase
CVE-2026-25044Same product: Budibase Budibase
CVE-2026-25041Same product: Budibase Budibase
CVE-2026-35216Same product: Budibase Budibase
CVE-2026-35214Same product: Budibase Budibase
CVE-2026-30240Same product: Budibase Budibase
CVE-2026-27702Same product: Budibase Budibase

Affected Assets

budibase
budibase
≤ 3.33.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for controlling outbound information flows from the Budibase server, preventing SSRF exploitation via the REST datasource connector to unauthorized internal destinations.

prevent

Establishes and enforces secure configuration settings such as the BLACKLIST_IPS environment variable to activate SSRF protections in official Budibase deployments.

prevent

Validates user-supplied URLs in the REST datasource connector inputs to block malicious destinations that enable SSRF attacks.

References