CVE-2026-54353
published 2026-06-26CVE-2026-54353: Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS…
PriorityP340high7.1CVSS 3.1
AVNACHPRLUINSCCHILAN
EPSS
0.24%
15.1th percentile
Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. This vulnerability is fixed in 3.39.9.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| budibase | backend-core | >= 0 < 3.39.9 | 3.39.9 |
| budibase | budibase | < 3.39.9 | 3.39.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
budibase up to 3.39.8 Socket Connection toctou (GHSA-gfq7-5x4g-3xhf / EUVD-2026-39915)
vuldb·2026-06-27·CVSS 8.5
CVE-2026-54353 [HIGH] budibase up to 3.39.8 Socket Connection toctou (GHSA-gfq7-5x4g-3xhf / EUVD-2026-39915)
A vulnerability, which was classified as critical, has been found in budibase up to 3.39.8. This affects an unknown part of the component Socket Connection Handler. This manipulation causes time-of-check time-of-use.
This vulnerability is handled as CVE-2026-54353. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
ghsa·2026-06-22
CVE-2026-54353 [HIGH] CWE-367 @budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
Summary
Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding.
The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection.
This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints.
Details
The issue comes from the outbound fet
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-26
Published