CVE-2026-48152
Budibase REST Datasource Authorization Secret Exposure
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | 3.39.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.39.0. The issue arises because the single-datasource GET and PUT routes are protected only by a generic TABLE READ permission rather than more specific Builder/Admin permissions or datasource-specific ownership checks.
A user with the Basic app user role, which includes WRITE permissions, can read an existing REST datasource and receive redacted authentication configuration values. They can then submit an update that changes only the config.url while keeping the redacted placeholders intact.
During the update, the system restores the old stored secret when it detects the redaction placeholder. When the query executes, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the stored authentication headers. This leads to server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener.
This vulnerability was fixed in Budibase version 3.39.0.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive REST Authorization secrets configured in Budibase. An attacker with Basic user permissions can exploit this flaw to obtain these secrets by manipulating datasource configurations.
With access to these secrets, an attacker could potentially impersonate legitimate services or users, access protected resources, or perform unauthorized actions within the system or connected services.
The CVSS score of 8.1 indicates a high severity impact, with confidentiality and integrity being highly affected, though availability is not impacted.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Budibase to version 3.39.0 or later, where the issue has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows Basic app users to exfiltrate stored REST datasource authentication credentials, potentially exposing sensitive API keys, tokens, or credentials. Such unauthorized disclosure of sensitive information can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which mandate strict controls over access to and protection of confidential data.
Because the vulnerability impacts confidentiality and integrity by exposing authentication secrets to unauthorized users, it may result in non-compliance with standards requiring secure handling of sensitive information and access controls.