GHSA-rpj4-7x2v-wjrf: Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation
Summary
Budibase's AI Extract File automation step has a server-side request forgery vulnerability (SSRF, a type of attack where a server makes requests to internal addresses it shouldn't access) because it uses `fetch()` directly without IP blacklist validation. Every other automation step in the same codebase properly uses `fetchWithBlacklist()` to block requests to internal networks like 127.0.0.1 and 169.254.169.254, but the AI step bypasses these protections, allowing authenticated users to access cloud metadata, scan internal networks, and potentially steal credentials.
Vulnerability Details
EPSS: 0.0%
Yes
May 15, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-rpj4-7x2v-wjrf
First tracked: May 15, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%