High severity7.7NVD Advisory· Published May 27, 2026· Updated May 28, 2026
CVE-2026-48146
CVE-2026-48146
Description
Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used in every other outbound HTTP call (automation steps, plugin downloads, object store), but was not applied to the OAuth2 token endpoint. A user with BUILDER role can point the OAuth2 token URL to internal services (CouchDB, cloud metadata) to exfiltrate sensitive data. This vulnerability is fixed in 3.39.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@budibase/servernpm | < 3.39.0 | 3.39.0 |
Affected products
2Patches
Vulnerability mechanics
References
3News mentions
1- Budibase: 18 CVEs Disclosed in Single Batch — Critical Auth Bypass and SSRF Flaws PatchedVypr Intelligence · May 27, 2026