CVE-2026-45718 - Vulnerability Details

- Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows

Description

Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view's security filters. This vulnerability is fixed in 3.38.1.

Published: 2026-05-27

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Budibase, an open‑source low‑code platform, has a flaw in the POST /api/tables/:sourceId/actions/:actionId/trigger endpoint that does not verify that a supplied rowId belongs to the set of rows allowed by a view’s filter. This is a permission enforcement weakness (CWE‑863). An authenticated user who can see a filtered view can trigger row actions on any row in the underlying table, including rows that the view explicitly hides, allowing the user to perform unintended actions on data they should not have access to.

Affected Systems

All Budibase deployments running a version earlier than 3.38.1 are affected. The vulnerability occurs when a user with access to a filtered view makes a request to the row‑action endpoint, which is part of the Budibase API.

Risk and Exploitability

The CVSS score of 5.4 classifies this flaw as moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires only that the user be authenticated and possess permissions to a given filtered view, an attacker with legitimate credentials can exploit the flaw by sending a crafted request to the API or interacting with the web UI. The exploit does not require privilege escalation, so the risk is primarily to data integrity and unintended action execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Budibase

budibase

affected

Version	Status	Constraints
`< 3.38.1`	affected	—

No data.

Vendor Product Confidence Versions

Budibase

100%

Version	Status	Scheme	Platform
`[0,3.38.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Budibase to version 3.38.1 or later to apply the vendor fix for the row‑action authorization check.
If an upgrade is delayed, temporarily disable row actions on views that expose sensitive data or remove the view‑level permissions that allow action triggers until the patch is applied.
Implement supplemental access‑control logic to enforce view‑filter constraints before processing row‑action requests, and review the permission model to ensure that only appropriately privileged users can trigger actions.

Generated by OpenCVE AI on May 27, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-3263-v5v9-xq8q	Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00146.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Budibase/budibase/releases/tag/3.38.1
https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q

History

Thu, 28 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Budibase Budibase budibase
Vendors & Products		Budibase Budibase budibase

Wed, 27 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view's security filters. This vulnerability is fixed in 3.38.1.
Title		Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows
Weaknesses		CWE-863
References		https://github.com/Budibase/budibase/releases/tag/3.38.1 https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Budibase Budibase

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T17:07:59.856Z

Updated: 2026-05-28T15:08:02.758Z

Reserved: 2026-05-13T05:51:48.666Z

Link: CVE-2026-45718

Vulnrichment

Updated: 2026-05-28T15:07:58.205Z

NVD

Status : Deferred

Published: 2026-05-27T18:16:25.873

Modified: 2026-06-17T10:52:29.947

Link: CVE-2026-45718

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses

CWE-863
Incorrect Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object