top of page
perceptive_background_267k.jpg

Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skippi…

Published:

26 mei 2026 om 22:00:00

Alert date:

27 mei 2026 om 19:08:13

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

Budibase open-source low-code platform contains a vulnerability in versions prior to 3.39.0. The fetchToken function in the OAuth2 SDK makes POST requests to builder-supplied URLs using plain node-fetch, bypassing the blacklist.isBlacklisted security check that other outbound fetch operations use. The Joi schema for OAuth2 URLs lacks scheme and host restrictions, allowing potential SSRF attacks. This security flaw has been addressed in version 3.39.0.

Technical details

Mitigation steps:

Affected products:

Budibase

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-48153
https://github.com/Budibase/budibase/security/advisories/GHSA-4q6h-8p4v-67vq

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page