CVE-2026-48153— Budibase OAuth2令牌端点SSRF漏洞
Possible ATT&CK Techniques 3AI
T1041 · Exfiltration Over C2 Channel T1105 · Ingress Tool Transfer T1589.001 · Credentials新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-48153の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata
ソース: NVD (National Vulnerability Database)
脆弱性説明
Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no scheme or host restriction. This vulnerability is fixed in 3.39.0.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
服务端请求伪造(SSRF)
ソース: NVD (National Vulnerability Database)
影響を受ける製品
II. CVE-2026-48153の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-48153のインテリジェンス情報
请登录查看更多情报信息。
CVE-2026-48153 厂商安全公告 (1)
Same Patch Batch · Budibase · 2026-05-27 · 20 CVEs total
| CVE-2026-46425 | 9.9 CRITICAL | Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users |
| CVE-2026-48150 | 9.0 CRITICAL | Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assi |
| CVE-2026-45716 | 8.8 HIGH | Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Con |
| CVE-2026-45717 | 8.8 HIGH | Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permissio |
| CVE-2026-48152 | 8.1 HIGH | Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasour |
| CVE-2026-48149 | 8.1 HIGH | Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via Markdo |
| CVE-2026-45715 | 7.7 HIGH | Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration |
| CVE-2026-46427 | 7.7 HIGH | Budibase: Snowflake private key returned unmasked from datasource API to BASIC users |
| CVE-2026-48146 | 7.7 HIGH | Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection |
| CVE-2026-45548 | 7.7 HIGH | Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation |
| CVE-2026-45061 | 7.7 HIGH | Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`) |
| CVE-2026-46426 | 7.6 HIGH | Budibase: Unrestricted Upload of File with Dangerous Type |
| CVE-2026-48151 | 7.5 HIGH | Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of |
| CVE-2026-48147 | 6.5 MEDIUM | Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection |
| CVE-2026-45719 | 6.5 MEDIUM | Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API |
| CVE-2026-45718 | 5.4 MEDIUM | Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on |
| CVE-2026-46424 | 4.2 MEDIUM | Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users |
| CVE-2026-48128 | Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step | |
| CVE-2026-48148 | Budibase: Unvalidated VectorDB Host Parameter Enables SSRF |
IV. 関連脆弱性
同じ製品: budibase
- CVE-2026-48147
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypa - CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF - CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missin - CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource I - CVE-2026-45716
Budibase: Builder-to-Admin Privilege Escalation via onboardU
同じベンダー: Budibase
- CVE-2026-48147
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypa - CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF - CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missin - CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource I - CVE-2026-45716
Budibase: Builder-to-Admin Privilege Escalation via onboardU
同じ弱点: CWE-918
- CVE-2026-9813
FlowIntel external reference URL probe allows server-side re - CVE-2026-5737
Independent Analytics <= 2.14.9 - Unauthenticated Server-Sid - CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF - CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missin - CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource I
V. CVE-2026-48153へのコメント
まだコメントはありません