CVE-2026-45717
Received Received - Intake
BaseFortify

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint (GET /api/datasources/:datasourceId). Every authenticated Budibase app user with the BASIC built-in role or higher carries TABLE/WRITE (and therefore TABLE/READ) permissions, and the datasource update controller performs no additional builder check. As a result, any authenticated non-builder app user can submit a PUT request to rewrite a datasource's config object — including the connection host, port, database credentials, or the base url of a REST datasource. Because no network-level SSRF protection is applied to SQL driver connections, redirecting a PostgreSQL/MySQL/MongoDB datasource to an internal IP address succeeds and the attacker can probe or interact with internal services on arbitrary ports. This vulnerability is fixed in 3.38.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-28
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-45717
EUVD
EUVD-2026-32601
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase 3.38.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.38.1. The issue is that the REST API route for updating datasources (PUT /api/datasources/:datasourceId) is accessible with the same authorization level as the read endpoint, meaning any authenticated user with the BASIC role or higher can update datasource configurations.

Because the update controller does not perform additional checks to verify if the user is a builder, an attacker can rewrite sensitive datasource configuration details such as connection host, port, database credentials, or the base URL of a REST datasource.

Additionally, there is no network-level Server-Side Request Forgery (SSRF) protection applied to SQL driver connections. This allows an attacker to redirect a datasource to an internal IP address and probe or interact with internal services on arbitrary ports.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized modification of datasource configurations, which may lead to exposure of sensitive database credentials and connection details.

An attacker can exploit this to redirect database connections to internal IP addresses, enabling them to probe or interact with internal services that are normally inaccessible, potentially leading to data breaches or further compromise of internal systems.

Given the high CVSS score of 8.8, the vulnerability poses a high risk with impacts on confidentiality, integrity, and availability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in Budibase version 3.38.1. The immediate step to mitigate this vulnerability is to upgrade Budibase to version 3.38.1 or later.

Until the upgrade is applied, restrict authenticated users with the BASIC built-in role or higher from submitting PUT requests to the /api/datasources/:datasourceId endpoint to prevent unauthorized datasource configuration changes.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows any authenticated user with a BASIC role to modify datasource configurations, including database credentials and connection parameters, potentially leading to unauthorized access to sensitive data.

Such unauthorized access and manipulation of data sources can compromise the confidentiality, integrity, and availability of data, which are core principles in compliance standards like GDPR and HIPAA.

By enabling Server-Side Request Forgery (SSRF) attacks and internal service probing, the vulnerability increases the risk of data breaches and unauthorized data exposure, potentially violating regulatory requirements for data protection and security controls.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring and testing the accessibility of the PUT /api/datasources/:datasourceId endpoint on Budibase instances. Since the vulnerability allows any authenticated user with BASIC role or higher to modify datasource configurations via this endpoint, detection involves verifying if unauthorized users can successfully send PUT requests to this route.

Suggested commands to detect exploitation attempts or test for the vulnerability include using curl or similar HTTP clients to send authenticated PUT requests to the endpoint and observe if changes to datasource configurations are accepted.

  • Use curl to send a PUT request with authentication to test if datasource configs can be modified: curl -X PUT -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"config": {"host": "malicious-host"}}' https://<budibase-instance>/api/datasources/<datasourceId>
  • Monitor logs for unusual PUT requests to /api/datasources/:datasourceId from users with BASIC or similar roles.
  • Check for changes in datasource configurations that redirect connections to internal IP addresses or unexpected hosts.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart