{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "3.30.6" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "f1b9e2fbd8047c6dd292693a5419e6998338f410" } ], "repo": "https://github.com/budibase/budibase", "type": "GIT" } ] } ], "aliases": [ "GHSA-4647-wpjq-hh7f" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-918" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33226.json" }, "details": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet — including cloud metadata endpoints (AWS/GCP/Azure), internal databases, Kubernetes APIs, and other pods on the internal network. On GCP this leads to OAuth2 token theft with cloud-platform scope (full GCP access). On any deployment it enables full internal network enumeration. At time of publication, there are no publicly available patches.", "id": "CVE-2026-33226", "modified": "2026-04-01T23:08:50.759859506Z", "published": "2026-03-20T23:04:24.424Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-4647-wpjq-hh7f" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33226.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33226" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "type": "CVSS_V3" } ], "summary": "Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview" }