These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A Server-Side Request Forgery (SSRF) vulnerability exists in Budibase's OAuth2 SDK prior to version 3.39.0. The `fetchToken` function makes POST requests to builder-supplied URLs using plain `node-fetch` without applying the `blacklist.isBlacklisted` check that protects other outbound fetch paths in the codebase. Additionally, the Joi schema for OAuth2 URLs lacks scheme or host restrictions, allowing atta [truncated]
A privilege escalation vulnerability in Budibase prior to version 3.39.0 allows Basic app users to exfiltrate REST datasource authorization secrets. The issue stems from insufficient access controls on single-datasource GET and PUT endpoints, which rely on generic TABLE READ permissions rather than Builder/Admin-specific or datasource-ownership checks. The Basic role's WRITE permission set includes table [truncated]
A missing authorization check in Budibase's webhook schema-building endpoint allows unauthenticated attackers to modify webhook body schemas and automation trigger output schemas. The vulnerability exists because the `/api/webhooks/schema` path is registered under `builderRoutes` but the generic authorization middleware explicitly skips authorization for this path pattern. This architectural gap permits a [truncated]
A critical privilege escalation vulnerability in Budibase allows workspace-scoped builders to grant themselves or others global administrator privileges. The flaw exists in the /api/public/v1/roles/assign endpoint, where the builderOrAdmin middleware permits access based on app-level builder status, but the underlying SDK grants global roles without additional verification. An attacker with workspace-scop [truncated]
A stored cross-site scripting (XSS) vulnerability exists in Budibase, an open-source low-code platform, affecting versions prior to 3.39.0. The vulnerability resides in the Text component's Markdown rendering functionality, where user-supplied markdown content is parsed and assigned directly to innerHTML without sanitization. Any application user with WRITE permissions on a table can inject malicious payl [truncated]
## Summary Budibase versions prior to 3.35.3 contain a server-side request forgery (SSRF) vulnerability in the VectorDB configuration endpoint. The endpoint accepts a host parameter without validation against internal IP ranges, reserved hostnames, or URL schemes. An authenticated user with builder-level access can supply arbitrary host values—including cloud metadata endpoints (169.254.169.254) or localh [truncated]
A cross-site request forgery (CSRF) bypass vulnerability exists in Budibase prior to version 3.35.4. The root cause is improper regular expression anchoring in the route matching logic used by CSRF middleware. The `buildMatcherRegex()` and `matches()` functions in `packages/backend-core/src/middleware/matchers.ts` compile route patterns into unanchored regular expressions and match them against `ctx.reque [truncated]
CVE-2026-48146 is a Server-Side Request Forgery (SSRF) vulnerability in Budibase, an open-source low-code platform. The flaw exists in the OAuth2 token fetch function located in `packages/server/src/sdk/workspace/oauth2/utils.ts` prior to version 3.39.0. The vulnerable code uses a raw `fetch(config.url)` call without SSRF protection, despite the existence of a `fetchWithBlacklist()` wrapper elsewhere in t [truncated]
CVE-2026-48128 is a server-side request forgery (SSRF) vulnerability in Budibase, an open-source low-code platform. The issue exists in the executeQuery automation step prior to version 3.39.0. The automation step accepts a queryId from user-controlled inputs and passes it directly to the query execution controller without validation. When a REST datasource is configured to target internal infrastructure, [truncated]
A stored cross-site scripting (XSS) vulnerability exists in Budibase, an open-source low-code platform, affecting versions prior to 3.38.2. The file upload endpoint POST /api/attachments/process fails to enforce active-content restrictions for authenticated builder users. Dangerous file extension checks are conditionally bypassed when the user is not a public user or when the environment is self-hosted. T [truncated]
A critical authorization bypass vulnerability in Budibase's SCIM (System for Cross-domain Identity Management) implementation allows any authenticated user to perform full CRUD operations on all users and groups within a tenant. The vulnerability exists because the SCIM router in packages/worker/src/api/routes/global/scim.ts only applies two middleware checks—requireSCIM (Enterprise feature flag and SCIM [truncated]
Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache (TTL: 3600 seconds), a user whose admin, builder, or app-level roles ha [truncated]
## Summary Budibase versions prior to 3.38.1 contain a server-side code injection vulnerability in the V1 Views API. The `POST /api/views` endpoint accepts a `calculation` parameter that is interpolated directly into a CouchDB reduce function definition without validation, despite the existence of an internal `SCHEMA_MAP` object that defines valid calculation types (`sum`, `count`, `stats`). A user with B [truncated]
Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view's security filters. [truncated]
**Executive Summary:** Budibase versions prior to 3.38.1 contain a broken access control vulnerability (CWE-862) that allows any authenticated non-builder application user to modify datasource configurations. The PUT /api/datasources/:datasourceId endpoint was incorrectly assigned TABLE/READ permission level—equivalent to the read endpoint—rather than requiring elevated builder privileges. Since all authe [truncated]
A privilege escalation vulnerability in Budibase, an open-source low-code platform, allows builder-level users to create global admin accounts when SMTP email is not configured. The POST /api/global/users/onboard endpoint, protected only by workspaceBuilderOrAdmin middleware, accepts arbitrary role assignments in the request body and returns generated passwords in the response. This bypasses the intended [truncated]
Budibase versions prior to 3.38.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the REST datasource integration. The application follows HTTP redirects without re-validating the destination IP address against the configured blacklist, enabling an authenticated Builder to access internal services—including cloud metadata endpoints and databases—by redirecting requests through an attacker-co [truncated]
CVE-2026-45548 is a server-side request forgery (SSRF) vulnerability in Budibase, an open-source low-code platform. The flaw exists in the `processUrlFile` function within `packages/server/src/automations/steps/ai/extract.ts`, which performs direct `fetch(fileUrl)` calls without applying IP blacklist validation. This validation is consistently enforced across all other automation steps but was omitted in [truncated]
CVE-2026-45061 is a high-severity (CVSS 7.7) Server-Side Request Forgery (SSRF) vulnerability in Budibase, an open-source low-code platform. The flaw exists in the Plugin URL upload endpoint (POST /api/plugin) prior to version 3.35.10. The endpoint performs insufficient URL validation using only a substring check for `.tar.gz`, which can appear anywhere in the URL string—including query parameters or frag [truncated]