Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45718

CVE-2026-45718: Budibase Authorization Bypass Vulnerability

CVE-2026-45718 is an authorization bypass flaw in Budibase that allows users to trigger row actions beyond their view permissions. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-45718 Overview

CVE-2026-45718 is an authorization bypass vulnerability in Budibase, an open-source low-code application platform. The flaw exists in the row action trigger endpoint POST /api/tables/:sourceId/actions/:actionId/trigger. The endpoint fails to validate that the user-supplied rowId falls within the scope of the view's row filters. An authenticated user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view's security filters. The vulnerability is fixed in Budibase 3.38.1 and is classified under CWE-863: Incorrect Authorization.

Critical Impact

Authenticated users can bypass view-level row filters and execute row actions on restricted records in the underlying table.

Affected Products

  • Budibase versions prior to 3.38.1
  • Self-hosted Budibase deployments using row actions on filtered views
  • Budibase applications relying on view filters as a security boundary

Discovery Timeline

  • 2026-05-27 - CVE-2026-45718 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-45718

Vulnerability Analysis

Budibase uses views as a filtered projection of an underlying table. Views can include row filters that restrict which records a user can see or interact with. The row action trigger endpoint accepts a sourceId identifying the view and a rowId identifying the row to act on. The endpoint authorizes the caller based on view access but does not re-check whether the specified rowId actually satisfies the view's filter predicates. As a result, the filter is enforced for read operations but not for action triggers.

Root Cause

The root cause is a missing authorization check between the view scope and the supplied row identifier. The handler treats access to the view as sufficient authorization for any rowId value, violating the principle that filter-based security boundaries must be enforced on every operation. This is a classic CWE-863 incorrect authorization pattern where one access decision is reused across different code paths.

Attack Vector

An attacker requires authenticated access to a Budibase instance and permission to use a filtered view that exposes at least one row action. The attacker sends a POST request to /api/tables/:sourceId/actions/:actionId/trigger using the view's sourceId but supplies a rowId corresponding to a row that the view's filter would normally exclude. The server executes the configured row action against that out-of-scope row. Depending on what the row action does, such as updating fields, sending notifications, or invoking workflows, the attacker can read or modify records they should not be able to reach.

The vulnerability is described in the GitHub Security Advisory GHSA-3263-v5v9-xq8q.

Detection Methods for CVE-2026-45718

Indicators of Compromise

  • Requests to /api/tables/:sourceId/actions/:actionId/trigger where the rowId does not appear in subsequent read responses for the same view
  • Row action executions logged against rows that the calling user has never queried through the view
  • Unexpected modifications, workflow triggers, or notifications tied to row action handlers on restricted records

Detection Strategies

  • Correlate row action trigger requests with the filter predicates of the referenced view and flag mismatches
  • Compare the set of rowId values targeted by action triggers against the set of rowId values returned by view read operations for the same user
  • Alert on row actions invoked by low-privilege users against rows that contain sensitive field values restricted by the view filter

Monitoring Recommendations

  • Enable verbose API audit logging on Budibase, capturing user, sourceId, actionId, and rowId for every trigger call
  • Forward Budibase access logs to a centralized SIEM and build correlation rules for filter-bypass patterns
  • Review historical logs prior to upgrading to identify any retroactive abuse of the endpoint

How to Mitigate CVE-2026-45718

Immediate Actions Required

  • Upgrade all Budibase instances to version 3.38.1 or later as documented in the Budibase 3.38.1 release notes
  • Audit row actions configured on filtered views and assess potential exposure of restricted records
  • Restrict access to applications that rely on view filters as a security boundary until patching is complete

Patch Information

The vulnerability is fixed in Budibase 3.38.1. The patched release enforces that the supplied rowId must satisfy the view's row filters before the row action handler executes. Administrators should follow the standard Budibase upgrade procedure and verify the running version after deployment. Details are available in the GitHub Security Advisory GHSA-3263-v5v9-xq8q.

Workarounds

  • Disable row actions on views that include security-sensitive row filters until the upgrade is applied
  • Move security-critical filtering logic from view filters to table-level role permissions where feasible
  • Restrict the set of users who can authenticate to Budibase applications exposing the affected endpoint
bash
# Verify the installed Budibase version after upgrade
docker exec -it budibase-app cat /app/package.json | grep version
# Expected: "version": "3.38.1" or higher

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne