CVE-2026-48152 - Budibase REST datasource auth exfiltration

Budibase before 3.39.0 let low-privilege Basic app users read and update an existing REST datasource through routes guarded only by generic table-oriented permissions. Stored auth config values were redacted in API responses, but when the user updated only the base URL, Budibase merged the existing secret back into the datasource and then used it on a relative-path query. That let an attacker-controlled listener receive the builder-configured Authorization value.

This is an authorization boundary failure around server-side secrets, not just a UI disclosure bug.

When to use it

Use this recipe when a repository deploys or customizes Budibase and stores authenticated REST datasources that low-privilege app users might read, update, or trigger through saved relative-path queries. It is most useful for low-code and internal tooling environments where server-side datasource credentials reach APIs, SaaS systems, internal services, or automation endpoints.

Use it to close the datasource mutation and secret-reuse boundary. Do not use it to redirect real credential-bearing requests to a listener.

Inputs

  • @budibase/server manifests, lockfiles, images, charts, deployment manifests, SBOMs, generated dependency reports, forks, and local patches.
  • REST datasource objects, auth config handling, redacted-placeholder merge logic, base URL update routes, saved relative-path queries, and query execution paths.
  • Role and permission evidence for Basic users, builders, admins, app users, automations, tenants, and API clients that can read/update datasources.
  • Inventory of server-side credentials in REST datasources: Basic, Bearer, OAuth2, API keys, headers, cookies, and internal URL destinations.
  • Audit logs, query history, and credential-rotation ownership, with datasource credentials and internal URLs treated as sensitive.

Affected versions

  • Vulnerable: @budibase/server <3.39.0
  • Fixed: @budibase/server 3.39.0+
  • Affected surface: REST datasource read/update routes, saved relative-path queries, and Basic app user permissions

Indicator-of-exposure

  • The repository deploys Budibase before 3.39.0.
  • REST datasources with Basic/Bearer/OAuth2 auth are configured server-side.
  • Basic app users or similarly low-privilege principals can read or update datasource objects.
  • Relative-path queries exist that will execute against the rewritten base URL.

Quick checks:

rg -n "datasource|authConfigs|mergeConfigs|TABLE READ|TABLE WRITE|REST datasource|queryId" .
npm ls @budibase/server
pnpm why @budibase/server

Windows:

rg -n "datasource|authConfigs|mergeConfigs|TABLE READ|TABLE WRITE|REST datasource|queryId" .
npm ls @budibase/server
pnpm why @budibase/server

Remediation strategy

  • Upgrade Budibase to 3.39.0+.
  • Restrict datasource read/update operations to builder/admin roles or explicit datasource ownership checks.
  • Prevent redacted-placeholder merge logic from silently reusing stored secrets when a lower-privilege caller rewrites destination URLs.
  • Rotate affected REST datasource secrets if low-privilege users could reach the vulnerable paths.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-48152 / GHSA-3gp5-q4jw-3v94 in Budibase. Basic app
users can rewrite REST datasource base URLs and trigger server-side reuse of
stored auth secrets. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Budibase, tightens datasource
  authorization, prevents secret reuse on untrusted URL rewrites, and documents
  secret-rotation actions, or
- TRIAGE.md if this repository does not control an affected Budibase server.

## Rules

- Scope only CVE-2026-48152 and directly related datasource authorization and
  secret handling.
- Treat datasource credentials, query definitions, internal URLs, and audit
  logs as sensitive.
- Do not redirect live datasource traffic to attacker-controlled endpoints.
- Do not leave low-privilege principals with datasource mutation rights that can
  influence credential-bearing server-side requests.
- Do not auto-merge.

## Steps

1. Inventory every `@budibase/server` dependency, image, and deployment owned
   by this repository.
2. Determine whether REST datasources with auth are configured and which roles
   can read or update them.
3. Trace how redacted auth placeholders are merged back into saved datasource
   configs during update and query execution.
4. If this repository does not control an affected Budibase server, stop with
   `TRIAGE.md` naming the owner and required fixed version `3.39.0+`.
5. Upgrade to `3.39.0+` and refresh locks, images, SBOMs, and deployment
   artifacts.
6. Restrict datasource read/update permissions to trusted builder/admin roles or
   stronger resource-specific authorization.
7. Ensure low-privilege callers cannot reuse stored secrets by changing only the
   destination URL or similar transport fields.
8. Add regression tests proving a low-privilege user cannot update a secret-
   bearing datasource or trigger server-side authenticated exfiltration.
9. Add a PR body section named `CVE-2026-48152 operator actions` covering:
   - versions before and after;
   - which datasource types and roles were in scope;
   - whether credential rotation is required;
   - which audit logs or query histories should be reviewed;
   - validation that passed.
10. Run available validation: dependency install, tests, build, image build,
    deployment render, and security scans.
11. Use PR title:
    `fix(sec): remediate CVE-2026-48152 in Budibase REST datasources`.

## Stop conditions

- No affected Budibase server is controlled by this repository.
- Verification would require redirecting real credential-bearing requests to an
  attacker-controlled endpoint.
- Product requirements intentionally allow low-privilege datasource mutation;
  document the risk and stop for review.
- Validation fails for unrelated pre-existing reasons; document those failures.

Verification - what the reviewer looks for

  • No controlled Budibase deployment resolves <3.39.0.
  • Low-privilege principals cannot read or mutate secret-bearing datasources.
  • Secret placeholder merge logic cannot be abused to preserve auth across attacker-controlled destination rewrites.
  • Secret rotation guidance is documented if exposure existed.

Watch for

  • Restricting UI access but leaving API routes at the old permission level.
  • Sanitizing reads while keeping update rights that still preserve stored secrets.
  • Forgetting saved queries and automation steps that reuse the datasource.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades Budibase to 3.39.0+, restricts datasource read/update operations to trusted builder/admin or resource-specific authorization, prevents stored-secret reuse when low-privilege callers rewrite destinations, adds regression tests, refreshes generated artifacts, and documents secret-rotation actions.
  • TRIAGE.md when no controlled affected Budibase server, REST datasource runtime, fork, image, chart, or deployment exists.

The output must list versions before/after, datasource types and roles in scope, routes and merge logic changed, validation commands, artifacts refreshed, credentials requiring rotation, and audit/query histories to review. It must not redirect live credential-bearing traffic, expose datasource secrets, print internal URLs unnecessarily, or leave low-privilege datasource mutation rights in place.

References