Budibase Patches Critical RCE and SSRF Vulnerabilities

Budibase, the popular open-source low-code platform used by engineers to rapidly build internal tools, has released urgent security patches to address two critical vulnerabilities. The flaws, which include an unauthenticated Remote Code Execution (RCE) and a high-impact Server-Side Request Forgery (SSRF), could allow attackers to completely compromise self-hosted deployments and exfiltrate sensitive data layer credentials.

The first flaw tracked is CVE-2026-35216 (CVSS 9.1), which allows an unauthenticated attacker to execute arbitrary OS commands as root inside the application container.

The vulnerability is found in the platform’s automation engine. If an administrator has created a standard automation that uses a Bash step triggered by a public webhook, the system becomes a ticking time bomb. An attacker can simply send a malicious payload to the public webhook endpoint to trigger the exploit.

The Impact of a Successful Breach:

• Secret Exfiltration: Attackers can steal JWT secrets, database credentials, and API keys.
• Network Pivoting: Once inside the container, attackers can reach internal services like CouchDB, Redis, and MinIO that are not exposed to the internet.
• Full Data Control: Access to the CouchDB backend allows for the reading, writing, or deletion of all application data.

The second critical flaw, CVE-2026-31818 (CVSS 9.6), targets Budibase’s REST datasource connector. While Budibase includes an SSRF protection mechanism (an IP blacklist), researchers found that this shield is effectively non-existent in default configurations.

The BLACKLIST_IPS environment variable is not set by default in official deployment files. When this variable is empty, the security function “unconditionally returns false,” allowing all requests through—including those to sensitive internal networks.

As the advisory notes, “A successful exploit grants full read/write access to the entire Budibase data layer… [including] CouchDB credentials which are embedded in the environment variables visible to the application container”.

Both vulnerabilities affect all self-hosted Budibase deployments running versions 3.30.6 and earlier.

Security Recommendations:

• Update Immediately: Budibase has released version 3.33.4, which contains full patches for both vulnerabilities.
• Audit Automations: Admins should review all automations that use Bash steps and ensure they are not using untrusted input from webhook templates.
• Configure Blacklists: For those on older versions, manually defining the BLACKLIST_IPS environment variable can help mitigate the SSRF risk.