Zero Day MonitorZDM

← Back to list

8.5

CVE-2026-54353EXPLOITEDPATCHED

budiba · budibase

Budibase: Potential SSRF DNS rebinding bypass in outbound fetch validation

Description

Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. This vulnerability is fixed in 3.39.9.

Affected Products

Vendor	Product	Versions
budiba	budibase	< 3.39.9

References

https://github.com/Budibase/budibase/security/advisories/GHSA-gfq7-5x4g-3xhf(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB23h ago

CVE-2026-54353 | budibase up to 3.39.8 Socket Connection toctou (GHSA-gfq7-5x4g-3xhf)

→ No new info (linked only)

CVSS 3.18.5 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

@budibase/backend-core@3.39.9

CWECWE-367, CWE-918

PublishedJun 22, 2026

Last enriched22h agov2

Tags

GHSA-gfq7-5x4g-3xhfnpmCVE-2026-54353

Trending Score44

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-54350EXP

Budibase: Anonymous NoSQL operator injection via published-app query templates

HIGHCVE-2026-50132EXP

Budibase: Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation in Budibase

HIGHCVE-2026-50137EXP

Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials

CRITICALCVE-2026-54352

Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload

CRITICALCVE-2026-50136

Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 22, 2026

Discovered by ZDM

Jun 22, 2026

Actively Exploited

Jun 26, 2026

Patch Available

Jun 26, 2026

Updated: severity, activelyExploited, tags

Jun 27, 2026

Version History

v2

Last enriched 22h ago

v2Tier C22h ago

Updated severity to CRITICAL, marked as actively exploited, and added CVE-2026-54353 tag.

severityactivelyExploitedtags

via VulDB

v15d ago

Initial creation