VYPR
High severity8.5NVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-48153

CVE-2026-48153

Description

Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no scheme or host restriction. This vulnerability is fixed in 3.39.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@budibase/servernpm
< 3.39.03.39.0

Affected products

2
  • Budibase/Budibaseinferred2 versions
    <3.39.0+ 1 more
    • (no CPE)range: <3.39.0
    • (no CPE)range: <3.39.0

Patches

Vulnerability mechanics

References

3

News mentions

1