CVE-2026-54353 is a high-severity server-side request forgery (SSRF) vulnerability in @budibase/backend-core (npm), affecting versions < 3.39.9. It is fixed in 3.39.9.
Summary Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. Details The issue comes from the outbound fetch validation flow resolving DNS twice: During blacklist validation Again during the real socket connection The first lookup result is discarded after validation, so the second lookup is free to resolve to a different IP. This creates a classic TOCTOU DNS rebinding issue. Affected flow in: packages/backend-core/src/utils/outboundFetch.ts fetchFn uses plain node-fetch with no custom http.Agent / https.Agent, so the underlying socket performs its own independent dns.lookup after validation completes. The same pattern also exists in: packages/server/src/automations/steps/utils.ts The blacklist implementation resolves hostnames but only returns a boolean: packages/backend-core/src/blacklist/blacklist.ts The resolved IPs are discarded, so callers cannot pin the later socket connection to the validated addresses. An attacker controlling authoritative DNS for a hostname can therefore return: a public IP during validation a private/internal IP during the actual connection Anything routing through these helpers inherits the issue, including: outgoing webhook Slack Discord Make Zapier n8n AI extract object-store fetches Several of these steps return upstream response content directly into automation output, which makes the SSRF non-blind. PoC Tested locally against a self-hosted build from master. No Budibase-operated infrastructure was touched. Run Budibase locally. Start a harmless local HTTP listener: python3 -m http.server 8080 --bind 127.0.0.1 Use a rebinding hostname such as: 7f000001.cb007264.rbndr.us which rotates between: 127.0.0.1 203.0.113.100 Steps to reproduce: Log into Budibase with automation permissions. Create an automation using the Outgoing Webhook step. Set the URL to: http://<rebinding-host>:8080/ Trigger the automation. Observed result: The blacklist validation resolves the hostname to the public IP and allows the request. node-fetch performs a second DNS lookup during socket creation. The second lookup resolves to 127.0.0.1. The TCP connection lands on the local service. The local server response body appears directly in the automation output. Impact This produces a non-blind read-SSRF primitive against anything reachable from the Budibase host process, including: loopback services (127.0.0.1) RFC1918 ranges internal Kubernetes/VPC services cloud metadata endpoints (169.254.169.254) On cloud deployments without IMDSv2 enforcement, this may expose temporary IAM credentials via: /latest/meta-data/iam/security-credentials/<role> On multi-tenant hosted deployments, this may also create potential cross-tenant access paths through shared internal infrastructure.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2026-54353 has a CVSS score of 8.5 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (3.39.9). Upgrading removes the vulnerable code path.
npm
@budibase/backend-core (< 3.39.9)@budibase/backend-core → 3.39.9 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-54353 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-54353 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-54353 in your environment →Upgrade @budibase/backend-core to 3.39.9 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-54353 is a high-severity server-side request forgery (SSRF) vulnerability in @budibase/backend-core (npm), affecting versions < 3.39.9. It is fixed in 3.39.9. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
CVE-2026-54353 has a CVSS score of 8.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
@budibase/backend-core (npm) versions < 3.39.9 is affected.
Yes. CVE-2026-54353 is fixed in 3.39.9. Upgrade to this version or later.
Whether CVE-2026-54353 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade @budibase/backend-core to 3.39.9 or later.