CVE Catalog

CVE-2026-45717

High
Published: Translated: NVD NIST

Summary

Budibase prior to version 3.38.1 has a vulnerability in its REST API that allows authenticated app users to modify datasource configurations. Users with BASIC role or higher can send PUT requests to change settings, potentially leading to unauthorized access to sensitive data.

Risk Assessment

The organization is at risk of unauthorized access to internal services and data, which could lead to serious security incidents. An attacker could exploit this vulnerability to target internal resources.

Recommendation

It is recommended to update Budibase to version 3.38.1 or later to mitigate this vulnerability. Additionally, implementing further access controls and network-level protections is advisable.

Original NVD description (English source)

Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint (GET /api/datasources/:datasourceId). Every authenticated Budibase app user with the BASIC built-in role or higher carries TABLE/WRITE (and therefore TABLE/READ) permissions, and the datasource update controller performs no additional builder check. As a result, any authenticated non-builder app user can submit a PUT request to rewrite a datasource's config object — including the connection host, port, database credentials, or the base url of a REST datasource. Because no network-level SSRF protection is applied to SQL driver connections, redirecting a PostgreSQL/MySQL/MongoDB datasource to an internal IP address succeeds and the attacker can probe or interact with internal services on arbitrary po

Vulnerability data from NVD (NIST) · CISA KEV · EPSS