CVE-2026-54353 | Budibase is an open-source low-code platform. Prior to 3.39.… | CVSS 8.5 HIGH

Description

Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. This vulnerability is fixed in 3.39.9.

Metadata

CVE ID: CVE-2026-54353
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 19:23 UTC
Published: 2026-06-26 20:44 UTC
Last updated: 2026-06-26 20:44 UTC
Primary CWE: CWE-367
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
Vendor / Product: Budibase / budibase
Sources: cve.org · NVD

Severity & Metrics

8.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Budibase	budibase	—	< 3.39.9

Weakness (CWE)

CWE	Source	Description
CWE-367	cna	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-918	cna	CWE-918: Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

References (1)

https://github.com/Budibase/budibase/security/advisories/GHSA-gfq7-5x4g-3xhf https://github.com/Budibase/budibase/security/advisories/GHSA-gfq7-5x4g-3xhf