GHSA-CV96-5348-P5P8 Budibase: Unvalidated VectorDB Host Parameter Enables SSRF

Summary The VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access can supply an arbitrary host value such as 169.254.169.254 or localhost,...

Budibase: Unvalidated VectorDB Host Parameter Enables SSRF

Summary The VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access can supply an arbitrary host value such as 169.254.169.254 or localhost,...

GHSA-6964-PP88-6WP9 Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step

Summary The executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-side...

CVE-2026-45716

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

CVE-2026-48148 Budibase: Unvalidated VectorDB Host Parameter Enables SSRF

Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access can supply an...

CVE-2026-48148

Budibase prior to 3.35.3 exposes an unvalidated VectorDB host parameter in its configuration endpoint. An authenticated builder-level user can supply a host like 169.254.169.254 or localhost, allowing the server to initiate outbound TCP connections to internal network addresses or cloud metadata ...

CVE-2026-48148

Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access can supply an...

CVE-2026-45717

Budibase (prior to 3.38.1) exposed PUT /api/datasources/:datasourceId under TABLE/READ authorization, allowing any authenticated user with BASIC or higher to overwrite a datasource’s config (host, port, database, URL, credentials). The update merges attacker-controlled fields without builder-leve...

PT-2026-44059

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.35.3 Description The VectorDB configuration endpoint accepts a host parameter that lacks validation against internal IP ranges, reserved hostnames, or URL schemes. This allows an authenticated user with builder-lev...

PT-2026-41795

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.1 Description An issue exists in the "POST /api/global/users/onboard" endpoint, which is protected by the workspaceBuilderOrAdmin middleware. This allows users with builder permissions to access the endpoint. In...

GHSA-44M2-CRH7-F4Q2 Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL

Summary Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint GET /api/datasources/:datasourceId. Every authenticated...

Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL

Summary Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint GET /api/datasources/:datasourceId. Every authenticated...

CVE-2026-35218

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names tables, views, queries, automations using Svelte's @html directive without any sanitization. An authenticated user with Builder access can create a table, automation, vie...

CVE-2026-35218

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names tables, views, queries, automations using Svelte's @html directive without any sanitization. An authenticated user with Builder access can create a table, automation, vie...

CVE-2025-49396

CVE-2025-49396 covers a missing/incorrectly authorized access issue in the WordPress plugin Themify Builder up to version 7.6.7 . Multiple sources (PT-security PT-2025-33938, CNNVD, CVE records) describe a Broken Access Control / Missing Authorization vulnerability that could be exploited due to ...