Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which includes table read/write and query write. A Basic user can therefore read an existing REST datasource, receive redacted authConfigs values, submit an update that changes only config.url while keeping the redacted placeholders, and trigger an existing saved relative-path REST query. During update, mergeConfigs() restores the old stored secret when it sees the redaction placeholder. During query execution, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the resolved stored auth headers. The result is server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener. This vulnerability is fixed in 3.39.0.
AnalysisAI
Disclosure of builder-configured REST Authorization secrets in Budibase before 3.39.0 allows a low-privileged 'Basic' app user to exfiltrate stored credentials to an attacker-controlled server. Because the single-datasource GET/PUT routes enforce only a generic TABLE READ permission (which the Basic role inherits via the WRITE set) instead of a Builder/Admin or ownership check, an authenticated user can repoint a REST datasource's base URL and trigger a saved query that leaks the resolved auth headers. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is rated CVSS 8.1 (high).
Technical ContextAI
Budibase is an open-source low-code application platform whose data layer connects to external systems through 'datasources,' including REST datasources that carry authentication material in authConfigs. The flaw is a CWE-863 (Incorrect Authorization) failure: the single-datasource GET and PUT endpoints are gated by a generic TABLE READ permission rather than Builder/Admin role checks or datasource-specific ownership/resource validation. Two design behaviors compound the authorization gap - the UI/API returns redacted placeholders for secret fields, and during a PUT the server-side mergeConfigs() function restores the previously stored secret whenever it encounters the redaction placeholder, so a caller can change only config.url while preserving the hidden credential. At query execution time Budibase concatenates the (now attacker-controlled) datasource config.url with the relative path of a saved query and applies the resolved stored auth headers, sending the builder's secret to whatever host the URL points to.
RemediationAI
Upgrade to the patched release - Vendor-released patch: 3.39.0 - which is the primary and recommended fix, as documented in advisory GHSA-3gp5-q4jw-3v94 (https://github.com/Budibase/budibase/security/advisories/GHSA-3gp5-q4jw-3v94). If immediate upgrade is not possible, reduce exposure by not assigning the Basic role to untrusted users and by limiting who can edit datasources, accepting that this restricts legitimate app users' write/query capabilities; review and rotate any REST Authorization secrets configured by builders, since they may already have been exposed. As an additional compensating control, restrict outbound network egress from the Budibase server so it can only reach known, allowlisted datasource hosts, which blocks exfiltration to an attacker-controlled listener but will break any legitimate external integrations not on the allowlist. These workarounds are stopgaps; upgrading to 3.39.0 is the only complete remediation.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32588
GHSA-3gp5-q4jw-3v94