CVE-2026-46427 Overview
CVE-2026-46427 is an information disclosure vulnerability in Budibase, an open-source low-code platform. The flaw exists in the removeSecrets function at packages/server/src/sdk/workspace/datasources/datasources.ts. This function masks only datasource configuration fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration declares its privateKey field as SENSITIVE_LONGFORM, which the secret-masking filter skips entirely. Any authenticated BASIC user with an app role can query GET /api/datasources/:datasourceId and receive the full Snowflake PEM-encoded private key in plaintext. The issue is fixed in version 3.38.3.
Critical Impact
Low-privileged authenticated users can extract Snowflake private keys, enabling unauthorized access to downstream data warehouse infrastructure.
Affected Products
- Budibase versions prior to 3.38.3
- Budibase Server component (packages/server)
- Deployments using the Snowflake datasource integration
Discovery Timeline
- 2026-05-27 - CVE-2026-46427 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46427
Vulnerability Analysis
The vulnerability is an information disclosure flaw classified under [CWE-200]. Budibase exposes datasource configuration objects through its REST API. Before returning these objects, the server invokes removeSecrets to redact sensitive values. The function applies a type-based allowlist that only matches fields tagged DatasourceFieldType.PASSWORD.
The Snowflake connector defines its privateKey field with the type SENSITIVE_LONGFORM because the value is a multi-line PEM blob rather than a short password string. This type mismatch causes the masking logic to bypass the field. The API route GET /api/datasources/:datasourceId is protected only by PermissionType.TABLE combined with PermissionLevel.READ, which any authenticated user with a basic app role satisfies.
Root Cause
The root cause is an incomplete deny-by-default secret filter. The removeSecrets implementation relies on a single schema type to identify confidential fields. Integrations that introduce new sensitive field types must explicitly extend the filter. The Snowflake integration added SENSITIVE_LONGFORM without updating removeSecrets, leaving the private key unredacted in API responses.
Attack Vector
An attacker requires valid Budibase credentials with any app role, including the lowest BASIC tier. The attacker enumerates datasource identifiers and issues authenticated GET requests against /api/datasources/:datasourceId. The JSON response contains the raw Snowflake privateKey PEM. The attacker then authenticates directly to Snowflake using the stolen key, bypassing Budibase as the access broker.
No verified public exploit code is available. See the GitHub Security Advisory for vendor technical details.
Detection Methods for CVE-2026-46427
Indicators of Compromise
- Unusual volume of authenticated GET /api/datasources/:datasourceId requests originating from low-privileged Budibase accounts
- Snowflake authentication events using key-pair authentication from IP addresses outside expected Budibase server ranges
- Budibase application logs showing datasource read access by BASIC role users who do not own the datasource
Detection Strategies
- Review Budibase access logs for sequential or scripted enumeration of /api/datasources/ endpoints by non-admin accounts
- Correlate Snowflake LOGIN_HISTORY events with the integration service account against approved source IPs
- Inspect API responses in network telemetry for payloads containing -----BEGIN PRIVATE KEY----- patterns returned from Budibase hosts
Monitoring Recommendations
- Enable verbose audit logging on the Budibase server and forward to a centralized SIEM for correlation
- Configure Snowflake to alert on key-pair authentication from new client IPs or unusual query patterns
- Track role assignments inside Budibase and alert when BASIC users access datasource management endpoints
How to Mitigate CVE-2026-46427
Immediate Actions Required
- Upgrade all Budibase Server instances to version 3.38.3 or later without delay
- Rotate every Snowflake private key configured in Budibase datasources, treating exposed keys as compromised
- Audit Budibase user accounts and remove unnecessary BASIC-tier access to applications using Snowflake datasources
- Review Snowflake query history for any unauthorized activity tied to the affected service accounts
Patch Information
The maintainers fixed the issue in Budibase 3.38.3. The patch updates removeSecrets in packages/server/src/sdk/workspace/datasources/datasources.ts to mask SENSITIVE_LONGFORM fields in addition to PASSWORD fields. Refer to the GitHub Security Advisory GHSA-qv26-4hvj-m7fv for release notes.
Workarounds
- Restrict network access to the Budibase Server so that only trusted administrators can reach the /api/datasources/ routes until the upgrade is applied
- Remove the Snowflake datasource configuration from Budibase and re-add it after patching to ensure rotated keys are stored
- Limit Snowflake service account privileges to the minimum dataset required, reducing blast radius if a key is exfiltrated
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
