What is the CVSS score of EUVD-2026-32595?

EUVD-2026-32595 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Budibase are affected by EUVD-2026-32595?

Budibase versions prior to 3.38.3 expose Snowflake database credentials in plaintext to any authenticated user within the platform, creating a direct path to unauthorized data warehouse access.. A patch is available.

Budibase EUVD-2026-32595

| CVE-2026-46427 HIGH

Information Exposure (CWE-200)

2026-05-27 security-advisories@github.com

Information Disclosure

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 20:06 vuln.today

Patch available

May 27, 2026 - 19:46 EUVD

DescriptionNVD

Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as SENSITIVE_LONGFORM, which the filter skips. GET /api/datasources/:datasourceId lives on authorizedRoutes guarded by PermissionType.TABLE + PermissionLevel.READ. An authenticated BASIC user with any app role and call the endpoint and receive the full Snowflake PEM in plaintext. This vulnerability is fixed in 3.38.3.

AnalysisAI

Sensitive credential disclosure in Budibase low-code platform versions prior to 3.38.3 allows any authenticated low-privilege user to retrieve a configured Snowflake datasource's private key in plaintext. The flaw stems from an incomplete secret-masking filter that only redacts fields typed as PASSWORD, leaving the Snowflake privateKey field (typed SENSITIVE_LONGFORM) exposed through the GET /api/datasources/:datasourceId endpoint. …

RemediationAI

Within 24 hours: Inventory all Budibase deployments and identify instances with Snowflake datasources; document current version numbers and affected user populations. Within 7 days: Upgrade all Budibase instances to version 3.38.3 or later; immediately rotate compromised Snowflake account credentials and audit access logs for suspicious activity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-32595 vulnerability details – vuln.today

Back

Budibase EUVD-2026-32595

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code