Budibase Low-Code Platform CVE-2026-31818 SSRF Flaw Allows Internal Network Access

CVE-2026-31818 is a critical server-side request forgery (SSRF) vulnerability (CVSS 9.6) in Budibase, a popular open-source low-code platform used to build internal tools and applications. Prior to version 3.33.4, an unauthenticated attacker can exploit this flaw to make the Budibase server issue HTTP requests to arbitrary internal network resources, including cloud provider metadata endpoints (e.g., AWS IMDSv1), internal APIs, and other services not exposed to the internet. This can lead to credential theft, lateral movement within internal networks, and further compromise of cloud infrastructure. A companion vulnerability CVE-2026-35216 (CVSS 9.0) also affects Budibase prior to 3.33.4, allowing unauthenticated attackers to perform additional unauthorized actions. Both vulnerabilities were published to the NVD on April 4, 2026. Organizations using Budibase should immediately update to version 3.33.4 or later, implement network egress controls to restrict outbound requests from Budibase instances, and audit access logs for signs of SSRF exploitation attempts.