PatchSiren cyber security CVE debrief
CVE-2026-45717 Budibase CVE debrief
**Executive Summary:** Budibase versions prior to 3.38.1 contain a broken access control vulnerability (CWE-862) that allows any authenticated non-builder application user to modify datasource configurations. The PUT /api/datasources/:datasourceId endpoint was incorrectly assigned TABLE/READ permission level—equivalent to the read endpoint—rather than requiring elevated builder privileges. Since all authenticated users with BASIC role or higher possess TABLE/WRITE permissions (which include TABLE/READ), they can submit PUT requests to rewrite datasource connection parameters including host, port, credentials, and base URLs. The absence of network-level SSRF protections on SQL driver connections enables attackers to redirect PostgreSQL, MySQL, or MongoDB datasources to internal IP addresses, facilitating probing and interaction with internal services on arbitrary ports. This vulnerability was disclosed on 2026-05-27 and carries a CVSS 3.1 score of 8.8 (HIGH).
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Budibase self-hosted instances with multi-user applications where non-builder users have application access. Security teams monitoring for SSRF vulnerabilities in low-code platforms. Infrastructure teams responsible for network segmentation between application servers and internal services.
Technical summary
The vulnerability stems from incorrect permission mapping in Budibase's REST API authorization layer. The datasource update controller at PUT /api/datasources/:datasourceId was registered in the authorizedRoutes group with TABLE/READ permission—identical to the read-only GET endpoint. The controller implementation performed no additional builder privilege verification. Since Budibase's permission model grants TABLE/WRITE (and thus TABLE/READ) to all authenticated users with BASIC role or above, any authenticated application user could invoke the update endpoint. The datasource config object accepts connection parameters including host, port, database credentials, and REST base URLs. Critically, Budibase's SQL driver connections lack network-level SSRF protections, allowing successful redirection to internal IP addresses. This enables attackers to probe internal network topology and interact with services on arbitrary ports through database protocol connections. The fix in 3.38.1 presumably adds proper authorization checks to restrict datasource modification to builder roles.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Budibase to version 3.38.1 or later to obtain the authorization fix
- Review and restrict application user roles to minimum necessary permissions, avoiding unnecessary TABLE/WRITE assignments
- Implement network-level egress filtering to block SQL driver connections to internal RFC 1918 addresses and sensitive ports
- Audit datasource configuration change logs for unauthorized modifications between disclosure date and patch deployment
- Consider implementing additional application-layer authorization checks for datasource management operations beyond built-in role permissions
Evidence notes
The vulnerability description confirms the authorization flaw: the PUT endpoint for datasource updates was registered with TABLE/READ permission instead of builder-level requirements. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects network attack vector, low attack complexity, low privileges required, and high impacts across confidentiality, integrity, and availability. The fix version 3.38.1 is documented in the official GitHub release.
Official resources
2026-05-27