VYPR
← All advisories
Medium severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-48128

CVE-2026-48128

Description

Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-side request forgery path where automation execution causes the Budibase server to make outbound HTTP requests to attacker-influenced destinations. The automation output then returns the response, potentially exposing internal service data. This vulnerability is fixed in 3.39.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Budibase prior to 3.39.0 lacks validation on queryId in automation steps, enabling SSRF via crafted REST datasource queries.

Vulnerability

In Budibase versions prior to 3.39.0, the executeQuery automation step accepts a queryId from automation step inputs and passes it directly to the query execution controller (queryController.executeV2AsAutomation) without additional validation [1]. The build context is constructed using the provided queryId and user-controlled parameters, and no checks are performed to ensure the referenced query is appropriate for automation use, that the associated datasource targets an allowlisted destination, or that supplied parameters do not override security-sensitive fields [1]. The vulnerable code path is reachable when an attacker has builder-level access to the Budibase application [1].

Exploitation

An attacker with builder-level access can create a REST datasource with a base URL pointing to an internal network endpoint (e.g., cloud metadata service), create a query against that datasource, and then create an automation whose Execute Query step references that query [1]. When the automation is triggered, the Budibase server issues an HTTP request from its own network context to the attacker-specified destination, and the response is captured in the automation output [1]. The attacker must have builder-level access to the Budibase application, which is a prerequisite for configuring datasources and automations [1].

Impact

Successful exploitation results in server-side request forgery (SSRF), where the Budibase server makes outbound HTTP requests to attacker-influenced destinations [1]. The automation output returns the response, potentially exposing internal service data (e.g., from cloud metadata services, internal APIs) to the attacker [1]. The attacker does not need to rely on user interaction or additional privileges beyond builder-level access [1].

Mitigation

The vulnerability is fixed in Budibase version 3.39.0, released on or around the publishing date of the advisory [1]. All users running versions prior to 3.39.0 should upgrade immediately to the patched version [1]. No known public exploitation in the wild has been reported as of the advisory date, and the CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. If upgrading is not immediately possible, restrict builder-level access and avoid exposing the Budibase application to untrusted users [1].

References
  1. SSRF via User-Controlled queryId in Automation Execute Query Step

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Budibase/Budibaseinferred2 versions
    <3.39.0+ 1 more
    • (no CPE)range: <3.39.0
    • (no CPE)range: <3.39.0

Patches

1
feab9955aeb5

Bump version to 3.39.0

https://github.com/Budibase/budibaseBudibase Staging Release BotMay 20, 2026Fixed in 3.39.0via release-tag
commit
1 file changed · +1 1
  • lerna.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "$schema": "node_modules/lerna/schemas/lerna-schema.json",
-  "version": "3.38.5",
+  "version": "3.39.0",
   "npmClient": "yarn",
   "concurrency": 20,
   "command": {

Vulnerability mechanics

Root cause

"Missing validation of the queryId in the executeQuery automation step allows the Budibase server to execute arbitrary queries against attacker-controlled REST datasources targeting internal infrastructure."

Attack vector

An attacker with builder-level access to a Budibase application creates a REST datasource whose base URL points to an internal network endpoint (e.g., a cloud metadata service at `http://169.254.169.254`). They then create a query against that datasource and an automation whose Execute Query step references that query via `queryId`. When the automation is triggered, the Budibase server issues the HTTP request from its own network context and returns the response in the automation output [ref_id=1]. The attacker must be authenticated with builder-level access, and the Budibase server must have network access to the internal target.

Affected code

The vulnerability resides in the executeQuery automation step. The advisory [ref_id=1] identifies that the step accepts a `queryId` from automation step inputs and passes it to `queryController.executeV2AsAutomation` via a context built by `buildCtx()`, with no validation that the referenced query is appropriate for automation use or that the associated datasource targets an allowlisted destination.

What the fix does

The only patch provided [patch_id=2725532] bumps the version from 3.38.5 to 3.39.0 in `lerna.json` and does not show the code-level fix. The advisory [ref_id=1] states the vulnerability is fixed in 3.39.0 but does not describe the specific remediation. Based on the advisory, the fix likely adds validation to confirm that the query referenced by the automation step is appropriate for automation use and that the associated datasource does not target disallowed destinations.

Preconditions

  • authAttacker must be authenticated with builder-level access to the Budibase application
  • networkBudibase server must have network access to the internal target endpoint
  • inputAttacker must be able to create a REST datasource, a query, and an automation

Reproduction

The advisory [ref_id=1] includes a full PoC. First, create a REST datasource targeting an internal endpoint (e.g., `http://169.254.169.254`). Second, create a query against that datasource with the desired path. Third, create an automation with an Execute Query step referencing the query's `queryId`. Finally, trigger the automation via `POST /api/automations/{id}/trigger` to receive the internal service response in the automation output.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.