CVE-2026-46427
Deferred Deferred - Pending Action
Snowflake PEM Exposure in Budibase Prior to 3.38.3

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as SENSITIVE_LONGFORM, which the filter skips. GET /api/datasources/:datasourceId lives on authorizedRoutes guarded by PermissionType.TABLE + PermissionLevel.READ. An authenticated BASIC user with any app role and call the endpoint and receive the full Snowflake PEM in plaintext. This vulnerability is fixed in 3.38.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46427
EUVD
EUVD-2026-32595
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.38.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated BASIC users to retrieve unmasked Snowflake private keys in plaintext, potentially leading to unauthorized access to sensitive data stored in Snowflake analytics warehouses.

Such unauthorized access to sensitive data could result in violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over access to confidential information and require protection of sensitive data.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing sensitive credentials and data to unauthorized parties.

Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.38.3. The issue is that the function removeSecrets only masks datasource configuration fields typed as PASSWORD, but it does not mask fields typed as SENSITIVE_LONGFORM. Specifically, the Snowflake integration's privateKey field is typed as SENSITIVE_LONGFORM, so it is not masked by the filter.

As a result, an authenticated BASIC user with any app role can call the GET /api/datasources/:datasourceId endpoint, which is supposed to be protected by certain permissions, and receive the full Snowflake private key (PEM) in plaintext.

This vulnerability was fixed in Budibase version 3.38.3.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive credentials, specifically the Snowflake private key used for integration. An attacker with basic authentication and any app role can retrieve this private key in plaintext.

Exposure of the private key can allow attackers to impersonate the legitimate user or system, potentially gaining unauthorized access to Snowflake data sources, leading to data breaches or unauthorized data manipulation.

The CVSS base score of 7.7 indicates a high severity impact, with confidentiality being highly affected.

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.38.3 or later, where the issue with the removeSecrets function masking sensitive fields properly is fixed.

Detection Guidance

This vulnerability can be detected by checking if the Budibase instance is running a version prior to 3.38.3 and if the /api/datasources/:datasourceId endpoint returns unmasked Snowflake private keys to authenticated BASIC users.

To detect exploitation attempts or presence of this vulnerability, you can monitor API calls to the /api/datasources/:datasourceId endpoint and verify if any authenticated BASIC user is able to retrieve sensitive private key data in plaintext.

Suggested commands include using network traffic inspection tools like curl or wget to simulate an authenticated BASIC user request to the endpoint, for example:

  • curl -H "Authorization: Basic <base64-encoded-credentials>" https://<budibase-server>/api/datasources/<datasourceId>
  • Check the response for unmasked private key data in the returned JSON.

Additionally, you can audit your Budibase version by running:

  • budibase --version

If the version is earlier than 3.38.3, the system is vulnerable and should be updated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46427. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart