18 CVEs Disclosed in Budibase Low-Code Platform: Critical Auth Bypass and SSRF Flaws Patched
Eighteen security vulnerabilities in the open-source Budibase low-code platform were disclosed on May 27, 2026, including a critical SCIM auth bypass (CVSS 9.9) and multiple SSRF flaws, all fixed in versions 3.39.0 and earlier.
Eighteen security vulnerabilities in Budibase, the open-source low-code platform, were disclosed together on May 27, 2026, spanning critical authorization bypasses, server-side request forgery (SSRF) vectors, stored cross-site scripting (XSS), and privilege escalation paths. The batch — published via GitHub Security Advisories — clusters around broken permission checks and missing input validation across the platform's REST API, OAuth2 integration, file upload handler, and SCIM provisioning module. All issues have been addressed in Budibase 3.39.0 and earlier targeted patch releases.
The most severe vulnerability in the batch is CVE-2026-46425 (CVSS 9.9, Critical), a missing role check in the SCIM router. The SCIM provisioning endpoint attaches only a feature-flag middleware and a context-setter — no authentication or authorization middleware at all — meaning any authenticated user, regardless of role, can provision, modify, or deprovision user accounts. This effectively grants full identity-management control to any logged-in user.
CVE-2026-48150 (CVSS 9.0, Critical) targets the public roles assignment endpoint (/api/public/v1/roles/assign). The builderOrAdmin middleware checks whether the user is a builder for the app ID in the x-budibase-app-id header, but the check admits both global builders and workspace-scoped builders whose builder.apps set may not include the target app. This allows a workspace-scoped builder to escalate privileges by assigning roles in apps they do not own.
CVE-2026-48152 (CVSS 8.1, High) and CVE-2026-45717 (CVSS 8.8, High) both involve datasource permission mismatches. The single-datasource GET and PUT routes in CVE-2026-48152 are guarded only by generic TABLE READ permission rather than Builder/Admin or datasource-specific ownership checks. Since the built-in Basic app user role maps to the WRITE permission set (which includes table read/write), any app user can read or modify any datasource. In CVE-2026-45717, the PUT /api/datasources/:datasourceId route is registered with TABLE/READ authorization — the same level as the read endpoint — allowing a user with read access to overwrite datasource configurations entirely.
Four CVEs in the batch share a common SSRF theme. CVE-2026-48153 (CVSS 8.5, High) and CVE-2026-48146 (CVSS 7.7, High) both target the OAuth2 token-fetch path. The fetchToken function in the OAuth2 SDK makes a POST to a builder-supplied URL using plain node-fetch, completely skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. CVE-2026-45715 (CVSS 7.7, High) affects the REST datasource integration, which follows HTTP redirects without re-checking the IP blacklist. CVE-2026-48148 (Medium) covers the VectorDB configuration endpoint, which accepts a host parameter with no validation against internal IP ranges.
Additional vulnerabilities include stored XSS in the Markdown Text component (CVE-2026-48149, CVSS 8.1), file upload bypass for authenticated users (CVE-2026-46426, CVSS 7.6), and a secrets-masking bypass in the Snowflake integration (CVE-2026-46427, CVSS 7.7) that exposes private keys in API responses. All 18 CVEs have been fixed across Budibase versions 3.35.3 through 3.39.0. Users are strongly advised to upgrade immediately to the latest patched release to mitigate these risks.