CVE-2026-48152 - Budibase REST datasource auth exfiltration
Budibase before 3.39.0 let low-privilege Basic app users read and update an
existing REST datasource through routes guarded only by generic table-oriented
permissions. Stored auth config values were redacted in API responses, but when
the user updated only the base URL, Budibase merged the existing secret back
into the datasource and then used it on a relative-path query. That let an
attacker-controlled listener receive the builder-configured Authorization value.
This is an authorization boundary failure around server-side secrets, not just a UI disclosure bug.
When to use it
Use this recipe when a repository deploys or customizes Budibase and stores authenticated REST datasources that low-privilege app users might read, update, or trigger through saved relative-path queries. It is most useful for low-code and internal tooling environments where server-side datasource credentials reach APIs, SaaS systems, internal services, or automation endpoints.
Use it to close the datasource mutation and secret-reuse boundary. Do not use it to redirect real credential-bearing requests to a listener.
Inputs
@budibase/servermanifests, lockfiles, images, charts, deployment manifests, SBOMs, generated dependency reports, forks, and local patches.- REST datasource objects, auth config handling, redacted-placeholder merge logic, base URL update routes, saved relative-path queries, and query execution paths.
- Role and permission evidence for Basic users, builders, admins, app users, automations, tenants, and API clients that can read/update datasources.
- Inventory of server-side credentials in REST datasources: Basic, Bearer, OAuth2, API keys, headers, cookies, and internal URL destinations.
- Audit logs, query history, and credential-rotation ownership, with datasource credentials and internal URLs treated as sensitive.
Affected versions
- Vulnerable:
@budibase/server <3.39.0 - Fixed:
@budibase/server 3.39.0+ - Affected surface: REST datasource read/update routes, saved relative-path queries, and Basic app user permissions
Indicator-of-exposure
- The repository deploys Budibase before
3.39.0. - REST datasources with Basic/Bearer/OAuth2 auth are configured server-side.
- Basic app users or similarly low-privilege principals can read or update datasource objects.
- Relative-path queries exist that will execute against the rewritten base URL.
Quick checks:
rg -n "datasource|authConfigs|mergeConfigs|TABLE READ|TABLE WRITE|REST datasource|queryId" .
npm ls @budibase/server
pnpm why @budibase/server
Windows:
rg -n "datasource|authConfigs|mergeConfigs|TABLE READ|TABLE WRITE|REST datasource|queryId" .
npm ls @budibase/server
pnpm why @budibase/server
Remediation strategy
- Upgrade Budibase to
3.39.0+. - Restrict datasource read/update operations to builder/admin roles or explicit datasource ownership checks.
- Prevent redacted-placeholder merge logic from silently reusing stored secrets when a lower-privilege caller rewrites destination URLs.
- Rotate affected REST datasource secrets if low-privilege users could reach the vulnerable paths.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-48152 / GHSA-3gp5-q4jw-3v94 in Budibase. Basic app
users can rewrite REST datasource base URLs and trigger server-side reuse of
stored auth secrets. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Budibase, tightens datasource
authorization, prevents secret reuse on untrusted URL rewrites, and documents
secret-rotation actions, or
- TRIAGE.md if this repository does not control an affected Budibase server.
## Rules
- Scope only CVE-2026-48152 and directly related datasource authorization and
secret handling.
- Treat datasource credentials, query definitions, internal URLs, and audit
logs as sensitive.
- Do not redirect live datasource traffic to attacker-controlled endpoints.
- Do not leave low-privilege principals with datasource mutation rights that can
influence credential-bearing server-side requests.
- Do not auto-merge.
## Steps
1. Inventory every `@budibase/server` dependency, image, and deployment owned
by this repository.
2. Determine whether REST datasources with auth are configured and which roles
can read or update them.
3. Trace how redacted auth placeholders are merged back into saved datasource
configs during update and query execution.
4. If this repository does not control an affected Budibase server, stop with
`TRIAGE.md` naming the owner and required fixed version `3.39.0+`.
5. Upgrade to `3.39.0+` and refresh locks, images, SBOMs, and deployment
artifacts.
6. Restrict datasource read/update permissions to trusted builder/admin roles or
stronger resource-specific authorization.
7. Ensure low-privilege callers cannot reuse stored secrets by changing only the
destination URL or similar transport fields.
8. Add regression tests proving a low-privilege user cannot update a secret-
bearing datasource or trigger server-side authenticated exfiltration.
9. Add a PR body section named `CVE-2026-48152 operator actions` covering:
- versions before and after;
- which datasource types and roles were in scope;
- whether credential rotation is required;
- which audit logs or query histories should be reviewed;
- validation that passed.
10. Run available validation: dependency install, tests, build, image build,
deployment render, and security scans.
11. Use PR title:
`fix(sec): remediate CVE-2026-48152 in Budibase REST datasources`.
## Stop conditions
- No affected Budibase server is controlled by this repository.
- Verification would require redirecting real credential-bearing requests to an
attacker-controlled endpoint.
- Product requirements intentionally allow low-privilege datasource mutation;
document the risk and stop for review.
- Validation fails for unrelated pre-existing reasons; document those failures.
Verification - what the reviewer looks for
- No controlled Budibase deployment resolves
<3.39.0. - Low-privilege principals cannot read or mutate secret-bearing datasources.
- Secret placeholder merge logic cannot be abused to preserve auth across attacker-controlled destination rewrites.
- Secret rotation guidance is documented if exposure existed.
Watch for
- Restricting UI access but leaving API routes at the old permission level.
- Sanitizing reads while keeping update rights that still preserve stored secrets.
- Forgetting saved queries and automation steps that reuse the datasource.
Output contract
Return one of:
- A reviewer-ready PR/change request that upgrades Budibase to
3.39.0+, restricts datasource read/update operations to trusted builder/admin or resource-specific authorization, prevents stored-secret reuse when low-privilege callers rewrite destinations, adds regression tests, refreshes generated artifacts, and documents secret-rotation actions. TRIAGE.mdwhen no controlled affected Budibase server, REST datasource runtime, fork, image, chart, or deployment exists.
The output must list versions before/after, datasource types and roles in scope, routes and merge logic changed, validation commands, artifacts refreshed, credentials requiring rotation, and audit/query histories to review. It must not redirect live credential-bearing traffic, expose datasource secrets, print internal URLs unnecessarily, or leave low-privilege datasource mutation rights in place.
Related recipes
- CVE-2026-48146 - Budibase OAuth2 validation SSRF
- CVE-2026-48151 - Budibase webhook schema auth bypass
- Source-code authz tenant boundary audit