Skip to main content

Budibase CVE-2026-48152

| EUVDEUVD-2026-32588 HIGH
Incorrect Authorization (CWE-863)
2026-05-27 security-advisories@github.com GHSA-3gp5-q4jw-3v94
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 19:53 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which includes table read/write and query write. A Basic user can therefore read an existing REST datasource, receive redacted authConfigs values, submit an update that changes only config.url while keeping the redacted placeholders, and trigger an existing saved relative-path REST query. During update, mergeConfigs() restores the old stored secret when it sees the redaction placeholder. During query execution, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the resolved stored auth headers. The result is server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener. This vulnerability is fixed in 3.39.0.

AnalysisAI

Disclosure of builder-configured REST Authorization secrets in Budibase before 3.39.0 allows a low-privileged 'Basic' app user to exfiltrate stored credentials to an attacker-controlled server. Because the single-datasource GET/PUT routes enforce only a generic TABLE READ permission (which the Basic role inherits via the WRITE set) instead of a Builder/Admin or ownership check, an authenticated user can repoint a REST datasource's base URL and trigger a saved query that leaks the resolved auth headers. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is rated CVSS 8.1 (high).

Technical ContextAI

Budibase is an open-source low-code application platform whose data layer connects to external systems through 'datasources,' including REST datasources that carry authentication material in authConfigs. The flaw is a CWE-863 (Incorrect Authorization) failure: the single-datasource GET and PUT endpoints are gated by a generic TABLE READ permission rather than Builder/Admin role checks or datasource-specific ownership/resource validation. Two design behaviors compound the authorization gap - the UI/API returns redacted placeholders for secret fields, and during a PUT the server-side mergeConfigs() function restores the previously stored secret whenever it encounters the redaction placeholder, so a caller can change only config.url while preserving the hidden credential. At query execution time Budibase concatenates the (now attacker-controlled) datasource config.url with the relative path of a saved query and applies the resolved stored auth headers, sending the builder's secret to whatever host the URL points to.

RemediationAI

Upgrade to the patched release - Vendor-released patch: 3.39.0 - which is the primary and recommended fix, as documented in advisory GHSA-3gp5-q4jw-3v94 (https://github.com/Budibase/budibase/security/advisories/GHSA-3gp5-q4jw-3v94). If immediate upgrade is not possible, reduce exposure by not assigning the Basic role to untrusted users and by limiting who can edit datasources, accepting that this restricts legitimate app users' write/query capabilities; review and rotate any REST Authorization secrets configured by builders, since they may already have been exposed. As an additional compensating control, restrict outbound network egress from the Budibase server so it can only reach known, allowlisted datasource hosts, which blocks exfiltration to an attacker-controlled listener but will break any legitimate external integrations not on the allowlist. These workarounds are stopgaps; upgrading to 3.39.0 is the only complete remediation.

Share

CVE-2026-48152 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy