CVE-2026-45718 Budibase CVE debrief

Who should care

Organizations running Budibase versions prior to 3.38.1 with filtered views and row actions enabled. Security teams responsible for low-code platform governance. Application administrators relying on view filters for data segmentation and access control.

Technical summary

The vulnerability exists in the row action trigger endpoint at POST /api/tables/:sourceId/actions/:actionId/trigger. When a user triggers a row action through a filtered view, the endpoint accepts a user-supplied rowId parameter without verifying that the specified row satisfies the view's configured row filters. This allows an authenticated attacker with access to any filtered view to execute row actions on arbitrary rows in the underlying table, including rows that should be inaccessible based on the view's security filters. The flaw represents an authorization bypass (CWE-863) where the application fails to properly enforce access controls at the resource level.

Defensive priority

medium

Recommended defensive actions

• Upgrade Budibase to version 3.38.1 or later to remediate this vulnerability.
• Review filtered view configurations to ensure row-level security controls are properly enforced.
• Audit access logs for the POST /api/tables/:sourceId/actions/:actionId/trigger endpoint for potential unauthorized row action execution.
• Validate that row action permissions align with view filter boundaries in custom implementations.

Evidence notes

The vulnerability was disclosed via GitHub Security Advisory GHSA-3263-v5v9-xq8q and published to the National Vulnerability Database on 2026-05-27. The issue affects Budibase versions prior to 3.38.1. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, with low impact to confidentiality and integrity but no availability impact.

Official resources