CVE Catalog

CVE-2026-48152

High
Published: Translated: NVD NIST

Summary

Budibase is an open-source low-code platform that prior to version 3.39.0 had security vulnerabilities related to access to GET and PUT routes for single data sources. Basic role users could access sensitive information such as authorization secrets by manipulating configuration data.

Risk Assessment

Organizations may be exposed to the disclosure of confidential authorization data, potentially leading to unauthorized access to resources and data. Attackers could exploit this vulnerability to gain control over applications using Budibase.

Recommendation

It is recommended to update Budibase to version 3.39 or later to eliminate this vulnerability. Additionally, conducting an audit of user permissions and application security is advisable.

Original NVD description (English source)

Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which includes table read/write and query write. A Basic user can therefore read an existing REST datasource, receive redacted authConfigs values, submit an update that changes only config.url while keeping the redacted placeholders, and trigger an existing saved relative-path REST query. During update, mergeConfigs() restores the old stored secret when it sees the redaction placeholder. During query execution, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the resolved stored auth headers. The result is server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener. This vulnerability is fixed in 3.39

Vulnerability data from NVD (NIST) · CISA KEV · EPSS