Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as SENSITIVE_LONGFORM, which the filter skips. GET /api/datasources/:datasourceId lives on authorizedRoutes guarded by PermissionType.TABLE + PermissionLevel.READ. An authenticated BASIC user with any app role and call the endpoint and receive the full Snowflake PEM in plaintext. This vulnerability is fixed in 3.38.3.
AnalysisAI
Sensitive credential disclosure in Budibase low-code platform versions prior to 3.38.3 allows any authenticated low-privilege user to retrieve a configured Snowflake datasource's private key in plaintext. The flaw stems from an incomplete secret-masking filter that only redacts fields typed as PASSWORD, leaving the Snowflake privateKey field (typed SENSITIVE_LONGFORM) exposed through the GET /api/datasources/:datasourceId endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in 3.38.3.
Technical ContextAI
Budibase is an open-source low-code application platform that connects to external datasources, including Snowflake. Datasource configuration objects store secrets that are meant to be stripped before being returned over the API by the removeSecrets function at packages/server/src/sdk/workspace/datasources/datasources.ts. That function enumerates config fields and masks only those whose schema type equals DatasourceFieldType.PASSWORD. The Snowflake integration declares its privateKey using the SENSITIVE_LONGFORM type (to accommodate a multi-line PEM key), which is not equal to PASSWORD and therefore falls through the masking logic unredacted. This maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the root cause is an allow/deny check keyed on an exact type that fails to account for all secret-bearing field types, so confidential data is serialized into an authenticated API response.
RemediationAI
Vendor-released patch: 3.38.3 - upgrade Budibase to 3.38.3 or later, which extends the removeSecrets masking to cover the SENSITIVE_LONGFORM field type so the Snowflake privateKey is no longer returned by the API. Because the leaked credential is a long-lived Snowflake private key, also rotate the affected Snowflake key pair after upgrading, since any user who could call the endpoint before patching may already possess the key. If immediate upgrade is not possible, compensating controls include temporarily removing or reconfiguring the Snowflake datasource to avoid storing the private key in Budibase (trade-off: breaks Snowflake-backed apps), and tightly restricting which users are granted app roles to minimize the pool of authenticated accounts that can reach GET /api/datasources/:datasourceId (trade-off: does not fully close the hole since any app role suffices and BASIC users may legitimately need access). Reference the advisory at https://github.com/Budibase/budibase/security/advisories/GHSA-qv26-4hvj-m7fv for authoritative details.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32595