CVE-2026-33226 - Vulnerability Analysis
HighCVSS: 8.7Last Updated: March 20, 2026
Budibase - Server Side Request Forgery
Published: March 20, 2026Updated: March 20, 2026Remote Exploitable
Overview
Budibase <= 3.30.6 contains a server-side request forgery caused by lack of validation in REST datasource query preview endpoint, letting authenticated admins access internal services and cloud metadata, exploit requires admin authentication.
Severity & Score
Severity: High
CVSS Score: 8.7
Impact
Authenticated admins can access internal services and cloud metadata, leading to full internal network enumeration and potential OAuth2 token theft on GCP.
Mitigation
Update to the latest version once patches are available.
Related Resources
Details
- CVE ID
- CVE-2026-33226
- Severity
- High
- CVSS Score
- 8.7
- Type
- server_side_request_forgery
- Status
- new
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N