CVE-2026-48148: Budibase: SSRF via VectorDB host exposes cloud metadata

### Summary The VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access can supply an arbitrary host value such as `169.254.169.254` or localhost, causing the server to initiate outbound TCP connections to internal network addresses or cloud metadata endpoints on their behalf. ### Details The validator responsible for VectorDB creation and updates defines the host field as `Joi.string().required()`, which enforces only that the value is a non-empty string. No allowlist of external hostnames, no blocklist of RFC 1918 or link-local ranges, and no scheme validation are applied before the value is forwarded to the database SDK for connection establishment. When a VectorDB entry is created or updated, the SDK uses the supplied host directly to open a TCP connection. Because the connection attempt originates from the Budibase server process, it traverses internal network boundaries that would otherwise be inaccessible to the attacker. Differences in connection timing and error messages between reachable and unreachable hosts allow an attacker to enumerate internal services and determine whether specific addresses are live. In cloud environments, the AWS EC2 metadata service at `169.254.169.254`, the GCP metadata server at `metadata.google.internal`, and equivalent endpoints for other providers are all reachable this way. Builder access is a realistic precondition in multi-tenant or team deployments, as the builder role is intended to allow application development without granting administrative privileges over the underlying infrastructure. ### PoC ```python import requests import time BASE_URL = "https://TARGET_BUDIBASE_INSTANCE" SESSION = requests.Session() login_resp = SESSION.post(f"{BASE_URL}/api/global/auth/default/login", json={ "username": "builder@example.com", "password": "builderpassword" }) token = login_resp.cookies.get("budibase:auth") or login_resp.json().get("token") SESSION.headers.update({"Cookie": f"budibase:auth={token}"}) targets = [ ("169.254.169.254", 80), ("localhost", 5432), ("10.0.0.1", 22), ] for host, port in targets: start = time.time() resp = SESSION.post(f"{BASE_URL}/api/ai/vectordb", json={ "name": f"probe_{host.replace('.', '_')}_{port}", "provider": "pgvector", "host": host, "port": port, "database": "db" }) elapsed = time.time() - start print(f"host={host} port={port} status={resp.status_code} time={elapsed:.2f}s body={resp.text[:200]}") ``` ### Impact An attacker with builder access can use the Budibase server as a proxy to probe internal network topology, determine which hosts and ports are reachable from the server, and potentially interact with unauthenticated internal services including cloud instance metadata endpoints. In environments where cloud metadata endpoints expose credentials or instance identity documents, successful retrieval of metadata could lead to privilege escalation or lateral movement within the cloud environment. The attack requires no interaction beyond a single authenticated API request per probe target.

An attacker — a disgruntled developer, a compromised contractor account, or an external actor who has phished builder credentials — authenticates to a cloud-hosted Budibase instance and issues a POST request to /api/ai/vectordb with host set to 169.254.169.254, port 80, provider pgvector, and a dummy database name. The Budibase server, running on an EC2 instance, opens a TCP connection to the AWS instance metadata service on behalf of the attacker. The attacker iterates across multiple hosts and ports, using response timing differences and error content to map the internal network topology. A targeted follow-up retrieves the IMDSv1 metadata document at /latest/meta-data/iam/security-credentials/, obtaining a short-lived AWS access key, secret key, and session token for the attached IAM role. With these credentials the attacker queries S3 buckets for training data or sensitive documents, invokes Lambda functions, or pivots to RDS instances — all without any further vulnerability exploitation and without triggering alerts tied to the compromised builder account.