Budibase Backend-Core vulnerabilities
5 known vulnerabilities affecting budibase/backend-core.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-31818P2CRITICAL≥ 0, < 3.33.42026-04-03
CVE-2026-31818 [CRITICAL] CWE-1188 Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
## 1. Summary
| Field | Value |
|-------|-------|
| **Title** | SSRF via REST Connector with Empty Default Blacklist Leading to Full Internal Data Exfiltration |
| **Product** | Budibase |
| **Version** | 3.30.6 (latest stable as of 2026-02-25) |
| **Component** | REST Datasource Integratio
ghsaosv
CVE-2026-48147P3CRITICALCVSS 9.1≥ 0, < 3.35.42026-06-12
CVE-2026-48147 [CRITICAL] CWE-185 Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
### Summary
The `buildMatcherRegex()` / `matches()` functions in `packages/backend-core/src/middleware/matchers.ts` share the same structural root cause as the recently patched CVE-2026-31816: route patterns are compiled into **unanchored regular
ghsa
CVE-2026-54353P3HIGH≥ 0, < 3.39.92026-06-22
CVE-2026-54353 [HIGH] CWE-367 @budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
Summary
Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding.
The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup th
ghsa
CVE-2026-42239P3HIGH≥ 0, < 3.35.102026-04-24
CVE-2026-42239 [HIGH] CWE-1004 Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover
Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover
### Summary
The `budibase:auth` cookie containing the JWT session token is set with `httpOnly: false` at `packages/backend-core/src/utils/utils.ts:218`. JavaScript can read this cookie via `document.cookie`. Given that Budibase has had XSS vulnerabilities (GHSA-g
ghsa
CVE-2026-46424P4MEDIUM≥ 0, < 3.38.22026-05-19
CVE-2026-46424 [MEDIUM] CWE-269 Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
## Summary
The public API role unassignment endpoint (`POST /api/public/v1/roles/unassign`) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the auth
ghsa