Budibase: 18 CVEs Disclosed in Single Batch — Critical Auth Bypass and SSRF Flaws Patched
Eighteen security vulnerabilities in the open-source low-code platform Budibase were disclosed together on May 27, 2026, including a critical SCIM auth bypass (CVSS 9.9) and multiple SSRF and privilege escalation flaws, all fixed in versions 3.39.0 and earlier patch releases.
Key findings
- Critical SCIM auth bypass (CVE-2026-46425, CVSS 9.9) lets any authenticated user provision accounts
- Four SSRF flaws target OAuth2, REST datasources, VectorDB, and automation workflows
- Stored XSS in Markdown Text component (CVE-2026-48149) via unsanitized innerHTML
- Datasource PUT endpoint (CVE-2026-45717) uses TABLE/READ permission, allowing overwrite by readers
- Snowflake private key exposed in API responses due to secrets-masking type mismatch
- All 18 CVEs fixed across Budibase 3.35.3 through 3.39.0
Eighteen security vulnerabilities in Budibase, the open-source low-code platform, were disclosed together on May 27, 2026, spanning critical authorization bypasses, server-side request forgery (SSRF) vectors, stored cross-site scripting (XSS), and privilege escalation paths. The batch — published via GitHub Security Advisories — clusters around broken permission checks and missing input validation across the platform's REST API, OAuth2 integration, file upload handler, and SCIM provisioning module. All issues have been addressed in Budibase 3.39.0 and earlier targeted patch releases.
Critical and High-severity authorization gaps
The most severe vulnerability in the batch is CVE-2026-46425 (CVSS 9.9, Critical), a missing role check in the SCIM router. The SCIM provisioning endpoint attaches only a feature-flag middleware and a context-setter — no authentication or authorization middleware at all — meaning any authenticated user, regardless of role, can provision, modify, or deprovision user accounts. This effectively grants full identity-management control to any logged-in user.
CVE-2026-48150 (CVSS 9.0, Critical) targets the public roles assignment endpoint (/api/public/v1/roles/assign). The builderOrAdmin middleware checks whether the user is a builder for the app ID in the x-budibase-app-id header, but the check admits both global builders and workspace-scoped builders whose builder.apps set may not include the target app. This allows a workspace-scoped builder to escalate privileges by assigning roles in apps they do not own.
CVE-2026-48152 (CVSS 8.1, High) and CVE-2026-45717 (CVSS 8.8, High) both involve datasource permission mismatches. The single-datasource GET and PUT routes in CVE-2026-48152 are guarded only by generic TABLE READ permission rather than Builder/Admin or datasource-specific ownership checks. Since the built-in Basic app user role maps to the WRITE permission set (which includes table read/write), any app user can read or modify any datasource. In CVE-2026-45717, the PUT /api/datasources/:datasourceId route is registered with TABLE/READ authorization — the same level as the read endpoint — allowing a user with read access to overwrite datasource configurations entirely.
CVE-2026-45716 (CVSS 8.8, High) affects the user onboarding endpoint (POST /api/global/users/onboard). Protected by workspaceBuilderOrAdmin middleware, the endpoint is accessible to any builder. When SMTP is not configured (the default for self-hosted instances), the endpoint bypasses email verification, allowing a builder to create arbitrary user accounts without confirmation.
SSRF cluster: OAuth2, REST datasources, and VectorDB
Four CVEs in the batch share a common SSRF theme. CVE-2026-48153 (CVSS 8.5, High) and CVE-2026-48146 (CVSS 7.7, High) both target the OAuth2 token-fetch path. The fetchToken function in the OAuth2 SDK makes a POST to a builder-supplied URL using plain node-fetch, completely skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL imposes no scheme or host restrictions. CVE-2026-48146 describes the same root cause in the OAuth2 token fetch function at packages/server/src/sdk/workspace/oauth2/utils.ts, where the safe fetchWithBlacklist() wrapper exists but is not used.
CVE-2026-45715 (CVSS 7.7, High) affects the REST datasource integration, which follows HTTP redirects without re-checking the IP blacklist. An authenticated Builder can configure a REST datasource that redirects to internal services (cloud metadata endpoints, internal databases), bypassing the initial blacklist check. CVE-2026-48148 (Medium) covers the VectorDB configuration endpoint, which accepts a host parameter with no validation against internal IP ranges or reserved hostnames, enabling SSRF by any authenticated builder-level user.
Stored XSS and file upload risks
CVE-2026-48149 (CVSS 8.1, High) describes a stored cross-site scripting vulnerability in the Budibase Text component. The component renders markdown by assigning marked.parse(markdown) directly to innerHTML with no sanitizer. Any column a builder binds to a Text component in Markdown mode becomes a stored-XSS sink — content entered by one user executes in the browser of any other user viewing that row.
CVE-2026-46426 (CVSS 7.6, High) targets the file upload endpoint POST /api/attachments/process. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED) guards. For authenticated users on self-hosted instances, no active-content restrictions are enforced, allowing upload of HTML, SVG, or other executable file types.
Privilege escalation, cache poisoning, and injection flaws
CVE-2026-48151 (CVSS 7.5, High) exposes the webhook schema-building endpoint. Though registered under builderRoutes, the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema, allowing an unauthenticated caller to update the body schema for a known webhook ID.
CVE-2026-46427 (CVSS 7.7, High) reveals a secrets-masking bypass in the Snowflake integration. The removeSecrets function masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as SENSITIVE_LONGFORM, which the filter does not recognize, leaving the private key exposed in API responses.
CVE-2026-46424 (Medium, CVSS 4.2) describes a cache-invalidation gap: the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. This means unassigned roles remain effective until the cache TTL expires.
CVE-2026-45719 (Medium, CVSS 6.5) covers a CouchDB injection in the V1 Views API (POST /api/views). A calculation parameter from the request body is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP defines valid calculation types, the validation can be bypassed.
CVE-2026-45718 (Medium, CVSS 5.4) affects the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger), which fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table.
CVE-2026-48147 (Medium, CVSS 6.5) describes a CSRF-bypass via unanchored route matching. The buildMatcherRegex() / matches() functions compile route patterns into unanchored regular expressions tested against ctx.request.url (which includes the full query string), allowing an attacker to craft query parameters that match CSRF-protected routes.
CVE-2026-48128 (Medium) covers an SSRF vector through the executeQuery automation step, which accepts a queryId from automation inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource targeting internal infrastructure, this enables SSRF through automation workflows.
Patch status and remediation
Budibase addressed the full batch across three release versions. The majority of vulnerabilities — including the critical SCIM auth bypass (CVE-2026-46425), the OAuth2 SSRF flaws (CVE-2026-48153, CVE-2026-48146), the stored XSS (CVE-2026-48149), and the role assignment bypass (CVE-2026-48150) — are fixed in Budibase 3.39.0. The file upload and secrets-masking issues (CVE-2026-46426, CVE-2026-46427) were patched in 3.38.2 and 3.38.3 respectively. The CouchDB injection, row action bypass, datasource overwrite, and onboarding bypass (CVE-2026-45719, CVE-2026-45718, CVE-2026-45717, CVE-2026-45716, CVE-2026-45715) were fixed in 3.38.1. The CSRF bypass (CVE-2026-48147) was patched in 3.35.4, and the VectorDB SSRF (CVE-2026-48148) in 3.35.3.
Self-hosted Budibase instances should upgrade to the latest available release immediately. Cloud-hosted Budibase tenants are typically updated by the vendor and may not require manual action.
Why this batch matters
The sheer breadth of this disclosure — 18 CVEs touching authentication, authorization, SSRF, XSS, file upload, cache integrity, and secrets management — underscores the attack-surface complexity of low-code platforms that expose both builder and end-user APIs. The most critical finding is the SCIM auth bypass (CVE-2026-46425), which effectively nullifies role-based access control for any authenticated user. Organizations using Budibase for internal tooling should prioritize the upgrade to 3.39.0 and audit any custom automation workflows or REST datasource configurations that may have been exposed.