CVE-2026-33226: Budibase RCE — Patch Guide

Overview

A significant security vulnerability, tracked as CVE-2026-33226, has been identified in the Budibase low-code platform. This flaw is a Server-Side Request Forgery (SSRF) vulnerability that exists in a specific API endpoint. If exploited, it allows an authenticated user with administrator privileges to make the Budibase server send requests to internal systems that are not meant to be accessible from the internet.

Vulnerability Details

In affected versions (3.30.6 and prior), the REST datasource query preview endpoint (POST /api/queries/preview) does not properly validate user input. Specifically, it accepts any URL provided in the fields.path parameter and makes an HTTP request to it from the server itself. This means the request originates from the internal network where Budibase is hosted, bypassing normal firewall protections that block external access.

Impact and Risks

The impact of this vulnerability is severe (CVSS: 8.7). An attacker with admin credentials can force the Budibase server to probe and interact with internal infrastructure. This includes:

• Cloud Metadata Endpoints: Accessing services like the AWS IMDS, GCP metadata server, or Azure Instance Metadata Service. On Google Cloud Platform, this can lead to theft of OAuth2 tokens with full cloud access (cloud-platform scope).
• Internal Network Enumeration: Scanning and attacking internal databases, Kubernetes API servers, and other applications running on the private network.
• Data Breach and System Compromise: Potentially stealing sensitive data from internal services or using the server as a launch point for further attacks within the network.

This flaw highlights the critical need to secure low-code platforms, similar to recent threats targeting other core infrastructure like the Linux AppArmor CrackArmor Flaws or the Veeam Backup Software Flaws.

Remediation and Mitigation

As of publication, there is no publicly available patch from Budibase. Immediate action is required to secure affected deployments.

Primary Mitigation: The most critical step is to immediately review and restrict administrator privileges. Ensure only absolutely necessary and trusted personnel have admin accounts. Monitor admin user activity closely.

Network-Level Controls: Implement strict egress firewall rules on the host or network where Budibase is deployed. Block all outbound HTTP/HTTPS traffic from the Budibase server to internal network segments and cloud metadata IP addresses (e.g., 169.254.169.254). Only allow necessary external communications.

General Security Advice: Treat low-code platforms with the same security rigor as any internet-facing application. Employ the principle of least privilege, conduct regular access reviews, and segment internal networks to limit the blast radius of such vulnerabilities, a lesson also underscored by complex attack chains like the DarkSword iOS Exploit Kit.

Organizations should monitor the official Budibase security advisories for patch information and apply it as soon as it is released.