CVE-2026-45548 — HIGH (CVSS 7.7)

Q: Is CVE-2026-45548 actively exploited?

No confirmed active exploitation of CVE-2026-45548 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-45548?

1. PATCH: Upgrade @budibase/server to ≥3.34.8 (fix replaces raw fetch() with fetchWithBlacklist() in packages/server/src/automations/steps/ai/extract.ts lines 116 and 139). 2. RESTRICT BUILDER ACCESS: Audit and revoke builder-level permissions for any non-essential or untrusted accounts immediately. 3. CLOUD HARDENING: On AWS, enforce IMDSv2 with hop-limit 1 on all EC2 instances hosting Budibase — this blocks SSRF access to the metadata service regardless of application-layer controls. Apply equivalent controls on GCP (metadata concealment) and Azure (IMDS access scoping). 4. EGRESS FILTERING: Apply host or container-level egress rules blocking 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 from the Budibase server process. 5. DETECTION: Alert on any outbound connection from the Budibase process to private IP ranges or 169.254.169.254 — a single hit confirms active exploitation. 6. AUDIT EXISTING AUTOMATIONS: Review all AI Extract File steps with URL sources in your Budibase instance; inspect server request logs for historical internal-IP access patterns.

Q: What systems are affected by CVE-2026-45548?

This vulnerability affects the following AI/ML architecture patterns: AI automation workflows, agent frameworks, low-code/no-code AI platforms, cloud-hosted application backends.

Q: What is the CVSS score for CVE-2026-45548?

CVE-2026-45548 has a CVSS v3.1 base score of 7.7 (HIGH).

CISO Take

Budibase's AI Extract File automation step calls fetch() directly without the IP blacklist validation applied to every other outbound automation step in the codebase, meaning any authenticated builder can make server-side requests to 127.0.0.1, RFC1918 ranges, and—critically—the cloud metadata service at 169.254.169.254. On AWS, GCP, or Azure-hosted deployments this is a one-step path to temporary IAM credentials or managed-identity tokens; the CVSS Scope:Changed rating captures exactly this blast radius beyond the Budibase application boundary. With AC:L/PR:L and no public exploit required beyond knowledge of the step's URL field, exploitation takes under two minutes via the built-in test button for any builder-level account. Patch @budibase/server to 3.34.8 immediately; as an interim control, restrict builder access to trusted users, enforce IMDSv2 on AWS EC2 instances, and add egress filtering to block RFC1918 and 169.254.0.0/16 from the Budibase process.

Sources: NVD GitHub Advisory OpenSSF ATLAS

What is the risk?

HIGH. CVSS 7.7 with network-accessible vector, low attack complexity, low-privilege requirement, no user interaction, and Changed scope accurately describes real-world blast radius. Zero AI/ML expertise is needed to exploit this — the attack surface is the standard Budibase UI. The 81 prior CVEs in the same package and an OpenSSF Scorecard of 6.1/10 indicate a codebase with recurring security hygiene gaps. The primary risk scenario is cloud credential theft on hosted or SaaS Budibase deployments, where the harvested IAM role or service account token may carry privileges far exceeding the Budibase application itself. Multi-tenant deployments and Budibase Cloud are highest-risk due to shared infrastructure and concentrated credential value.

Attack Kill Chain

Initial Access

Attacker authenticates to Budibase with valid builder-level credentials — obtained legitimately, via phishing, or credential stuffing.

AML.T0012

SSRF Trigger

Attacker creates an automation with the AI Extract File step, sets URL source to http://169.254.169.254/latest/meta-data/iam/security-credentials/, and clicks Run Test to trigger the unvalidated fetch() call.

AML.T0049

Credential Harvest

Budibase server fetches the cloud metadata endpoint without IP blacklist checks and returns temporary IAM credentials (access key, secret, session token) in the automation result visible in the UI.

AML.T0055

Infrastructure Compromise

Attacker uses harvested cloud credentials externally to access AWS/GCP/Azure services as the instance role, potentially achieving lateral movement and full infrastructure control beyond the Budibase application boundary.

AML.T0091

Initial Access

Attacker authenticates to Budibase with valid builder-level credentials — obtained legitimately, via phishing, or credential stuffing.

AML.T0012

SSRF Trigger

Attacker creates an automation with the AI Extract File step, sets URL source to http://169.254.169.254/latest/meta-data/iam/security-credentials/, and clicks Run Test to trigger the unvalidated fetch() call.

AML.T0049

Credential Harvest

Budibase server fetches the cloud metadata endpoint without IP blacklist checks and returns temporary IAM credentials (access key, secret, session token) in the automation result visible in the UI.

AML.T0055

Infrastructure Compromise

Attacker uses harvested cloud credentials externally to access AWS/GCP/Azure services as the instance role, potentially achieving lateral movement and full infrastructure control beyond the Budibase application boundary.

AML.T0091

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
@budibase/server	npm	< 3.34.8	`3.34.8`
187.3K OpenSSF 6.1 16 dependents Pushed 5d ago 44% patched ~3d to patch Full package profile →

Do you use @budibase/server? You're affected.

Severity & Risk

CVSS 3.1

7.7 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I None

A None

What should I do?

6 steps

PATCH

Upgrade @budibase/server to ≥3.34.8 (fix replaces raw fetch() with fetchWithBlacklist() in packages/server/src/automations/steps/ai/extract.ts lines 116 and 139).
RESTRICT BUILDER ACCESS

Audit and revoke builder-level permissions for any non-essential or untrusted accounts immediately.
CLOUD HARDENING

On AWS, enforce IMDSv2 with hop-limit 1 on all EC2 instances hosting Budibase — this blocks SSRF access to the metadata service regardless of application-layer controls. Apply equivalent controls on GCP (metadata concealment) and Azure (IMDS access scoping).
EGRESS FILTERING

Apply host or container-level egress rules blocking 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 from the Budibase server process.
DETECTION

Alert on any outbound connection from the Budibase process to private IP ranges or 169.254.169.254 — a single hit confirms active exploitation.
AUDIT EXISTING AUTOMATIONS

Review all AI Extract File steps with URL sources in your Budibase instance; inspect server request logs for historical internal-IP access patterns.

Classification

Data Extraction Auth Bypass Agent Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk treatment 8.4 - AI system operation

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-45548?

Budibase's AI Extract File automation step calls fetch() directly without the IP blacklist validation applied to every other outbound automation step in the codebase, meaning any authenticated builder can make server-side requests to 127.0.0.1, RFC1918 ranges, and—critically—the cloud metadata service at 169.254.169.254. On AWS, GCP, or Azure-hosted deployments this is a one-step path to temporary IAM credentials or managed-identity tokens; the CVSS Scope:Changed rating captures exactly this blast radius beyond the Budibase application boundary. With AC:L/PR:L and no public exploit required beyond knowledge of the step's URL field, exploitation takes under two minutes via the built-in test button for any builder-level account. Patch @budibase/server to 3.34.8 immediately; as an interim control, restrict builder access to trusted users, enforce IMDSv2 on AWS EC2 instances, and add egress filtering to block RFC1918 and 169.254.0.0/16 from the Budibase process.

Is CVE-2026-45548 actively exploited?

No confirmed active exploitation of CVE-2026-45548 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45548?

1. PATCH: Upgrade @budibase/server to ≥3.34.8 (fix replaces raw fetch() with fetchWithBlacklist() in packages/server/src/automations/steps/ai/extract.ts lines 116 and 139). 2. RESTRICT BUILDER ACCESS: Audit and revoke builder-level permissions for any non-essential or untrusted accounts immediately. 3. CLOUD HARDENING: On AWS, enforce IMDSv2 with hop-limit 1 on all EC2 instances hosting Budibase — this blocks SSRF access to the metadata service regardless of application-layer controls. Apply equivalent controls on GCP (metadata concealment) and Azure (IMDS access scoping). 4. EGRESS FILTERING: Apply host or container-level egress rules blocking 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 from the Budibase server process. 5. DETECTION: Alert on any outbound connection from the Budibase process to private IP ranges or 169.254.169.254 — a single hit confirms active exploitation. 6. AUDIT EXISTING AUTOMATIONS: Review all AI Extract File steps with URL sources in your Budibase instance; inspect server request logs for historical internal-IP access patterns.

What systems are affected by CVE-2026-45548?

This vulnerability affects the following AI/ML architecture patterns: AI automation workflows, agent frameworks, low-code/no-code AI platforms, cloud-hosted application backends.

What is the CVSS score for CVE-2026-45548?

CVE-2026-45548 has a CVSS v3.1 base score of 7.7 (HIGH).

Technical Details

NVD Description

## Vulnerability Details **CWE-918**: Server-Side Request Forgery (SSRF) The `processUrlFile` function in `packages/server/src/automations/steps/ai/extract.ts` uses `fetch(fileUrl)` directly **without the IP blacklist validation** that is consistently applied to all other automation steps. This allows an authenticated user to trigger server-side requests to internal network addresses. ### Vulnerable Code **`packages/server/src/automations/steps/ai/extract.ts` (lines 116, 139)**: ```typescript async function processUrlFile(fileUrl: string, ...): Promise<ExtractInput> { const response = await fetch(fileUrl) // NO blacklist check! // ... const fallbackResponse = await fetch(fileUrl) // Also NO blacklist check! } ``` ### Contrast with All Other Automation Steps (Same Codebase) Every other automation step that makes outbound HTTP requests properly uses `fetchWithBlacklist`: - `steps/slack.ts:19`: `response = await fetchWithBlacklist(url, {...})` - `steps/discord.ts:28`: `response = await fetchWithBlacklist(url, {...})` - `steps/zapier.ts:33`: `response = await fetchWithBlacklist(url, {...})` - `steps/n8n.ts:53`: `response = await fetchWithBlacklist(url, request)` - `steps/outgoingWebhook.ts`: `response = await fetchWithBlacklist(url, {...})` - `steps/make.ts`: `response = await fetchWithBlacklist(url, {...})` The `fetchWithBlacklist` function (`steps/utils.ts:100`) validates URLs against the IP blacklist which blocks: - `127.0.0.0/8` (loopback) - `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16` (RFC1918 private) - `169.254.0.0/16` (link-local / cloud metadata) - IPv6 private addresses The AI Extract File step bypasses all of these protections. ## Steps to Reproduce ### Via Budibase UI 1. Login as builder user 2. Create or open any app 3. Go to **Automations** > **New Automation** 4. Add trigger: **App Action** 5. Add step: **AI > Extract File Data** 6. Set Source: `URL` 7. Set File URL: `http://169.254.169.254/latest/meta-data/` (or any internal IP) 8. Click **Run Test** — the server makes the request without IP blacklist validation ### Via curl (API) ```bash # 1. Login and get session cookie curl -s -c /tmp/bb.txt \ "http://BUDIBASE_HOST/api/global/auth/default/login" \ -X POST -H "Content-Type: application/json" \ -d '{"username":"YOUR_EMAIL","password":"YOUR_PASSWORD"}' # 2. Create automation with SSRF payload (replace YOUR_APP_ID) curl -s -b /tmp/bb.txt \ "http://BUDIBASE_HOST/api/automations" \ -X POST -H "Content-Type: application/json" \ -H "x-budibase-app-id: YOUR_APP_ID" \ -d '{"name":"SSRF PoC","definition":{"trigger":{"stepId":"APP","event":"row:save"},"steps":[{"stepId":"AI_EXTRACT","inputs":{"source":"URL","fileUrl":"http://169.254.169.254/latest/meta-data/"}}]}}' ``` ### Code Review Verification Compare the vulnerable function with the safe pattern used everywhere else: ``` VULNERABLE (no blacklist): packages/server/src/automations/steps/ai/extract.ts:116 const response = await fetch(fileUrl) SAFE (with blacklist) - every other step: packages/server/src/automations/steps/slack.ts:19 response = await fetchWithBlacklist(url, {...}) packages/server/src/automations/steps/discord.ts:28 response = await fetchWithBlacklist(url, {...}) ``` ### Expected vs Actual Behavior **Expected**: `processUrlFile()` should reject internal/private IPs via `fetchWithBlacklist()` **Actual**: `fetch(fileUrl)` is called directly, allowing requests to 127.0.0.1, 10.x.x.x, 169.254.169.254 etc. ## Impact An authenticated user with builder permissions can: - **Access cloud metadata endpoints** (AWS IAM credentials, GCP service tokens, Azure IMDS) - **Scan internal network** services and ports - **Access internal APIs** not intended for external access - **Exfiltrate data** from internal services via the automation response In Budibase Cloud (SaaS), this could be used to steal cloud provider credentials, potentially leading to full infrastructure compromise. ## Proposed Fix Replace `fetch(fileUrl)` with `fetchWithBlacklist(fileUrl)`, consistent with all other automation steps: ```typescript import { fetchWithBlacklist } from "../utils" async function processUrlFile(fileUrl: string, ...): Promise<ExtractInput> { const response = await fetchWithBlacklist(fileUrl) // Use blacklist // ... const fallbackResponse = await fetchWithBlacklist(fileUrl) // Use blacklist } ```

Exploitation Scenario

An attacker holding builder credentials in a Budibase instance running on an AWS EC2 instance creates a new automation with an App Action trigger. They add an AI Extract File step, set Source to URL, and enter http://169.254.169.254/latest/meta-data/iam/security-credentials/ as the File URL. Clicking Run Test causes the Budibase Node.js server process to call fetch() against the EC2 instance metadata service — bypassing all blacklist checks — and the automation result payload returns the JSON body containing a temporary AWS access key ID, secret access key, and session token. The attacker copies these credentials, configures the AWS CLI locally, and now operates as the EC2 instance IAM role. If that role is over-permissioned (common in self-hosted deployments), this escalates to full AWS account access. In Budibase Cloud multi-tenant SaaS, the same technique targets platform-level infrastructure credentials, representing potential cross-tenant blast radius.