Home / Vulnerability Intelligence / CVE-2026-33226

CVE-2026-33226 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 23, 2026

Budibase - Server Side Request Forgery

Published: March 20, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable

Overview

Budibase <= 3.30.6 contains a server-side request forgery caused by lack of validation in REST datasource query preview endpoint, letting authenticated admins access internal services and cloud metadata, exploit requires admin authentication.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 0.9%(Probability of exploitation in next 30 days)

Impact

Authenticated admins can access internal services and cloud metadata, leading to full internal network enumeration and potential OAuth2 token theft on GCP.

Mitigation

Update to the latest version once patches are available.

References

https://github.com/Budibase/budibase/security/advisories/GHSA-4647-wpjq-hh7f

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 21, 2026

🟠 CVE-2026-33226 - High (8.7) Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33226/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33226
Severity: High
CVSS Score: 8.7
Type: server_side_request_forgery
Status: confirmed
EPSS: 0.9%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

EPSS Score

0.9%Probability of exploitation in the next 30 days