CVE-2026-31818Budibase · Budibase
Vulnerability data via NVD (ingested)
Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-31818product:"Budibase Budibase"http.html:"Budibase"More intel sources (5)
vuln:CVE-2026-31818vulnerabilities.cve_id: CVE-2026-31818CVE-2026-31818CVE-2026-31818"CVE-2026-31818" exploit -site:nvd.nist.gov