VYPR
← All advisories
High severity8.1NVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-48152

CVE-2026-48152

Description

Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which includes table read/write and query write. A Basic user can therefore read an existing REST datasource, receive redacted authConfigs values, submit an update that changes only config.url while keeping the redacted placeholders, and trigger an existing saved relative-path REST query. During update, mergeConfigs() restores the old stored secret when it sees the redaction placeholder. During query execution, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the resolved stored auth headers. The result is server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener. This vulnerability is fixed in 3.39.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Budibase prior to 3.39.0 allows Basic app users to exfiltrate REST datasource auth secrets by rewriting the datasource URL.

Vulnerability

Budibase is an open-source low-code platform. Prior to version 3.39.0, the single-datasource GET and PUT routes (/api/datasources/:datasourceId) are guarded only by generic TABLE READ permission, not by Builder/Admin permission or datasource-specific ownership checks. The built-in Basic app user role maps to the WRITE permission set, which includes table read/write and query write. This allows a Basic user to read an existing REST datasource, receive redacted authConfigs values, submit an update that changes only config.url while keeping the redaction placeholders, and trigger an existing saved relative-path REST query. During update, mergeConfigs() restores the old stored secret when it sees the redaction placeholder. During query execution, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the resolved stored auth headers. [1]

Exploitation

An attacker with a Basic app user role (which has WRITE permission) can exploit this by first reading a REST datasource to obtain its redacted configuration. The attacker then sends a PUT request to update the datasource, changing only the config.url field to point to an attacker-controlled listener while leaving the redacted authConfigs placeholders unchanged. The server's mergeConfigs() function preserves the original stored secret when it encounters the redaction placeholder. The attacker then triggers an existing saved REST query that uses a relative path. Budibase constructs the full URL by prepending the attacker-controlled config.url and attaches the stored auth headers (e.g., Bearer token). The request is sent to the attacker's listener, disclosing the secret. [1]

Impact

Successful exploitation results in server-side disclosure of the builder-configured REST Authorization secret (e.g., Basic, Bearer, or OAuth2 credentials) to an attacker-controlled listener. This compromises the confidentiality of the stored credential, which may be used to access external services with the same privileges as the Budibase integration. The attacker does not need any additional privileges beyond the Basic app user role. [1]

Mitigation

The vulnerability is fixed in Budibase version 3.39.0. Users should upgrade to this version or later. No workarounds are documented in the available reference. [1]

References
  1. Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Budibase/Budibaseinferred2 versions
    <3.39.0+ 1 more
    • (no CPE)range: <3.39.0
    • (no CPE)range: <3.39.0

Patches

1
feab9955aeb5

Bump version to 3.39.0

https://github.com/Budibase/budibaseBudibase Staging Release BotMay 20, 2026Fixed in 3.39.0via release-tag
commit
1 file changed · +1 1
  • lerna.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "$schema": "node_modules/lerna/schemas/lerna-schema.json",
-  "version": "3.38.5",
+  "version": "3.39.0",
   "npmClient": "yarn",
   "concurrency": 20,
   "command": {

Vulnerability mechanics

Root cause

"Missing datasource-specific authorization on single-datasource GET/PUT routes allows a Basic app user to rewrite the datasource base URL while the redaction-placeholder merge logic preserves the stored auth secret, which is then exfiltrated via a saved query execution."

Attack vector

An attacker with a Basic app-user role (which maps to the WRITE permission set, granting TABLE READ/WRITE and QUERY WRITE [ref_id=1]) first calls `GET /api/datasources/:datasourceId` to obtain the datasource object with redacted auth placeholders [ref_id=1]. The attacker then calls `PUT /api/datasources/:datasourceId` with the same body but changes `config.url` to an attacker-controlled HTTP listener; `mergeConfigs()` restores the stored secret when it sees the redaction placeholder [ref_id=1]. Finally, the attacker triggers the saved relative-path REST query via `POST /api/v2/queries/:queryId`, causing the server to prefix the attacker-controlled `config.url` to the query path and apply the stored auth headers, sending the builder-configured REST Authorization secret to the attacker's listener [ref_id=1].

Affected code

The single-datasource GET and PUT routes at `/api/datasources/:datasourceId` are in `authorizedRoutes` guarded only by `PermissionType.TABLE` and `PermissionLevel.READ`, not by Builder/Admin permission or datasource-specific resource checks [ref_id=1]. The `mergeConfigs()` function in `packages/server/src/sdk/workspace/datasources/datasources.ts` restores the old stored auth-secret when the update body sends the redaction placeholder, and `removeSecrets()` redacts REST Basic/Bearer/OAuth2 secrets to `PASSWORD_REPLACEMENT` [ref_id=1]. During query execution, `packages/server/src/integrations/rest.ts` prefixes the datasource `config.url` to relative query paths and applies the resolved auth headers [ref_id=1].

What the fix does

The only patch provided is a version bump from 3.38.5 to 3.39.0 in `lerna.json` [patch_id=2725522], which does not show the substantive code changes. The advisory recommends moving the GET/PUT `/api/datasources/:datasourceId` routes behind Builder/Admin datasource permissions, adding datasource-specific resource authorization, and treating redaction placeholders as valid only in trusted builder/admin update flows [ref_id=1]. No fix diff is published in the bundle beyond the version bump.

Preconditions

  • authAttacker must have a Basic app-user session for a published app that uses an authenticated REST datasource
  • configA builder/admin must have created a REST datasource with stored auth (Bearer, Basic, or OAuth2) and a saved relative-path REST query
  • networkAttacker must have network access to the Budibase server API endpoints
  • inputAttacker must control an HTTP listener reachable from the Budibase server

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.