What is the CVSS score of CVE-2026-48152?

CVE-2026-48152 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Budibase are affected by CVE-2026-48152?

Budibase versions before 3.39.0 allow low-privileged users to exfiltrate REST API credentials stored in datasource configurations, creating a path to unauthorized access of integrated third-party…. A patch is available.

How to fix or mitigate CVE-2026-48152?

Within 24 hours: Inventory all Budibase deployments and identify instances running versions prior to 3.39.0. Within 7 days: Apply vendor patch by upgrading to Budibase 3.39.0 or later. Within 30 days: Audit REST datasource configurations for suspicious modifications, review query execution logs for unauthorized access, and rotate any credentials stored in datasources as a precaution.

Budibase CVE-2026-48152

EUVD-2026-32588 HIGH

Incorrect Authorization (CWE-863)

2026-05-27 security-advisories@github.com

Authentication Bypass

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 19:53 vuln.today

Patch available

May 27, 2026 - 19:46 EUVD

DescriptionNVD

Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which includes table read/write and query write. A Basic user can therefore read an existing REST datasource, receive redacted authConfigs values, submit an update that changes only config.url while keeping the redacted placeholders, and trigger an existing saved relative-path REST query. During update, mergeConfigs() restores the old stored secret when it sees the redaction placeholder. During query execution, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the resolved stored auth headers. The result is server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener. This vulnerability is fixed in 3.39.0.

AnalysisAI

Disclosure of builder-configured REST Authorization secrets in Budibase before 3.39.0 allows a low-privileged 'Basic' app user to exfiltrate stored credentials to an attacker-controlled server. Because the single-datasource GET/PUT routes enforce only a generic TABLE READ permission (which the Basic role inherits via the WRITE set) instead of a Builder/Admin or ownership check, an authenticated user can repoint a REST datasource's base URL and trigger a saved query that leaks the resolved auth headers. …

RemediationAI

Within 24 hours: Inventory all Budibase deployments and identify instances running versions prior to 3.39.0. Within 7 days: Apply vendor patch by upgrading to Budibase 3.39.0 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-48152 vulnerability details – vuln.today

Back