Description
Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint (GET /api/datasources/:datasourceId). Every authenticated Budibase app user with the BASIC built-in role or higher carries TABLE/WRITE (and therefore TABLE/READ) permissions, and the datasource update controller performs no additional builder check. As a result, any authenticated non-builder app user can submit a PUT request to rewrite a datasource's config object — including the connection host, port, database credentials, or the base url of a REST datasource. Because no network-level SSRF protection is applied to SQL driver connections, redirecting a PostgreSQL/MySQL/MongoDB datasource to an internal IP address succeeds and the attacker can probe or interact with internal services on arbitrary ports. This vulnerability is fixed in 3.38.1.
Published: 2026-05-27
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A privileged‑level bug in Budibase allows any authenticated user with a BASIC or higher role to change a datasource’s connection parameters via the PUT /api/datasources/:datasourceId endpoint. The API is incorrectly secured only with TABLE/READ permissions, which do not enforce the stricter builder role, and the controller performs no extra check. An attacker can therefore point a datasource at arbitrary internal hosts, ports, or database credentials, gaining the ability to probe, read from, or potentially write to internal services without further authentication.

Affected Systems

Budibase installations running any version prior to 3.38.1 are affected. The flaw is present on all systems where the REST API for datasource management is exposed, and any authenticated user who can execute API calls (including non‑builder users with BASIC-level access) can exploit it.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating a high severity. There is no documented EPSS value, and the issue is not listed in the CISA KEV catalog. Exploitation requires only that the attacker be authenticated to the application; no additional privileges are required beyond a normal user role. After authentication, the attacker sends a crafted PUT request, and because no server‑side SSRF checks exist for database drivers, the attacker can redirect the datasource to an arbitrary internal IP or port and interact directly with internal network services.

Generated by OpenCVE AI on May 27, 2026 at 19:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.38.1 or later.
  • Restrict the PUT /api/datasources/:datasourceId endpoint to users with builder privileges by applying additional authorization checks or changing the endpoint’s permission group.
  • Add network‑level SSRF protection or firewall rules that block connections the application can make to internal IP ranges when the datasource is configured by an authenticated user.

Generated by OpenCVE AI on May 27, 2026 at 19:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-44m2-crh7-f4q2 Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL
History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint (GET /api/datasources/:datasourceId). Every authenticated Budibase app user with the BASIC built-in role or higher carries TABLE/WRITE (and therefore TABLE/READ) permissions, and the datasource update controller performs no additional builder check. As a result, any authenticated non-builder app user can submit a PUT request to rewrite a datasource's config object — including the connection host, port, database credentials, or the base url of a REST datasource. Because no network-level SSRF protection is applied to SQL driver connections, redirecting a PostgreSQL/MySQL/MongoDB datasource to an internal IP address succeeds and the attacker can probe or interact with internal services on arbitrary ports. This vulnerability is fixed in 3.38.1.
Title Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL.
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:57:08.153Z

Reserved: 2026-05-13T05:51:48.666Z

Link: CVE-2026-45717

cve-icon Vulnrichment

Updated: 2026-05-27T17:57:03.443Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:25.727

Modified: 2026-05-27T19:45:41.590

Link: CVE-2026-45717

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses