CVE-2026-45717 Overview
Budibase is an open-source low-code platform for building internal tools and applications. CVE-2026-45717 is a missing authorization vulnerability [CWE-862] in the datasource management REST API. The PUT /api/datasources/:datasourceId route is registered with TABLE/READ permission and lacks an additional builder role check. Any authenticated app user with the BASIC built-in role or higher can rewrite a datasource configuration, including connection host, port, credentials, or REST base URL. The flaw enables internal network probing through SQL driver connections because no network-level Server-Side Request Forgery (SSRF) protection is applied. The vulnerability is fixed in Budibase 3.38.1.
Critical Impact
Authenticated non-builder users can hijack datasource configurations to access internal services, exfiltrate credentials, and pivot into protected network segments.
Affected Products
- Budibase versions prior to 3.38.1
- Self-hosted Budibase deployments exposing the datasource management API
- Multi-tenant Budibase instances with BASIC role users
Discovery Timeline
- 2026-05-27 - CVE-2026-45717 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45717
Vulnerability Analysis
Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group and protected only by the TABLE/READ permission level. This matches the read endpoint GET /api/datasources/:datasourceId, but write operations require stronger controls. Every authenticated Budibase app user with the BASIC built-in role or higher carries TABLE/WRITE and TABLE/READ permissions by default.
The datasource update controller performs no additional builder-role verification before applying changes. An authenticated non-builder user can submit a PUT request that rewrites the datasource config object. The mutable fields include connection host, port, database credentials, and the base URL of REST datasources. This grants a low-privileged user the ability to redirect production datasources to attacker-controlled or internal targets.
Root Cause
The root cause is missing authorization [CWE-862] on a state-changing endpoint. The route inherits a permission level intended for read access and the controller lacks a builder capability check. The application enforces no separation between data consumption permissions and data source configuration permissions.
Attack Vector
An authenticated attacker with the BASIC role issues a PUT request to /api/datasources/:datasourceId containing a modified config object. By changing the host to an internal IP address such as 127.0.0.1 or 169.254.169.254, the attacker redirects PostgreSQL, MySQL, or MongoDB connections to internal services. Because no network-level SSRF protection filters outbound SQL driver connections, the attacker can probe internal services on arbitrary ports. The attacker can also substitute credentials in the datasource and capture credentials sent by the application or other users.
See the GitHub Security Advisory GHSA-44m2-crh7-f4q2 for additional technical details.
Detection Methods for CVE-2026-45717
Indicators of Compromise
- Unexpected PUT /api/datasources/:datasourceId requests originating from non-builder user sessions.
- Datasource configuration entries containing internal IP addresses, loopback addresses, or cloud metadata endpoints such as 169.254.169.254.
- Outbound database driver connections from the Budibase server to unusual internal hosts or ports.
- Audit log entries showing datasource modifications without corresponding builder-role activity.
Detection Strategies
- Inspect Budibase application logs for PUT requests to /api/datasources/ and correlate the user role against the action performed.
- Compare current datasource configurations against a known-good baseline to identify unauthorized changes to host, port, or URL fields.
- Monitor egress traffic from Budibase containers for connections to RFC1918 ranges, link-local addresses, or non-approved external endpoints.
Monitoring Recommendations
- Alert on any datasource configuration change performed by a user lacking the builder role.
- Log and review all 200-series responses to the datasource update endpoint, including the diff of the config payload.
- Capture database driver connection metadata to detect anomalous targets initiated by the Budibase service account.
How to Mitigate CVE-2026-45717
Immediate Actions Required
- Upgrade all Budibase deployments to version 3.38.1 or later.
- Audit existing datasource records for unauthorized modifications to host, port, credentials, or base URL fields.
- Rotate database credentials referenced by Budibase datasources if tampering is suspected.
- Review user role assignments and remove BASIC access from accounts that do not require app interaction.
Patch Information
The issue is resolved in Budibase 3.38.1. The release adds a builder authorization check to the datasource update controller so non-builder users can no longer modify datasource configurations.
Workarounds
- Restrict network egress from the Budibase server to only the approved external database hosts and ports.
- Place Budibase in a network segment that blocks access to internal management interfaces and cloud metadata endpoints.
- Limit account provisioning so only trusted users hold roles at or above BASIC until the patch is applied.
# Verify the running Budibase version and upgrade via Docker
docker inspect budibase/proxy --format '{{.Config.Image}}'
docker compose pull
docker compose up -d
# Confirm the upgraded version is 3.38.1 or later
curl -s http://localhost:10000/api/system/version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
