CVE-2026-45718
Deferred Deferred - Pending Action
Unauthorized Row Action Execution in Budibase

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view's security filters. This vulnerability is fixed in 3.38.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45718
EUVD
EUVD-2026-32600
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase 3.38.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) in Budibase prior to version 3.38.1, where the user-supplied rowId is not properly validated against the view's row filters.

To detect exploitation attempts on your network or system, you can monitor HTTP POST requests to the endpoint pattern /api/tables/*/actions/*/trigger.

Suggested commands include using network traffic inspection tools or web server logs to filter for such requests. For example, using grep on server logs:

  • grep -i 'POST /api/tables/' /path/to/access.log | grep '/actions/' | grep '/trigger'

Additionally, you can use tools like curl or HTTP clients to test if the endpoint improperly allows triggering actions on rows outside the filtered view by supplying different rowId values.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Budibase to version 3.38.1 or later, where the issue has been fixed.

Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, in versions prior to 3.38.1. The issue is that the row action trigger endpoint does not properly validate whether the user-supplied rowId is within the scope of the view's row filters. As a result, a user who has access to a filtered view can trigger actions on any row in the underlying table, including rows that should be excluded by the view's security filters.

Impact Analysis

This vulnerability can allow a user with limited access to perform actions on data rows that they should not have access to. This means unauthorized access and modification of data could occur, potentially leading to data integrity issues and unauthorized information disclosure.

Compliance Impact

This vulnerability allows a user with access to a filtered view to trigger actions on any row in the underlying table, including rows that are explicitly excluded by the view's security filters.

Such unauthorized access to data outside the intended scope could lead to exposure or manipulation of sensitive information, potentially violating data protection requirements in standards like GDPR or HIPAA.

Therefore, this vulnerability may negatively impact compliance with regulations that mandate strict access controls and data privacy protections.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45718. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart