How is CVE-2026-45717 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Budibase API service via HTTP/HTTPS. Authentication (required): Any low-privilege Budibase account with the BASIC built-in role or higher is sufficient; no admin or builder credentials are needed. Victim interaction (not-required): The attacker sends a direct PUT request to the API; no action from another user is required. Attack complexity (info): Exploitation is straightforward and condition-free: the attacker constructs a valid PUT request body with attacker-controlled connection parameters, and the server applies the change without additional checks.

What is the impact of CVE-2026-45717?

Reads database credentials stored in or derivable from overwritten datasource configs, exposing usernames, passwords, and connection strings. Modifies datasource connection targets to redirect SQL or REST driver connections to attacker-controlled hosts, enabling credential harvesting and data interception. Probes or interacts with internal services on arbitrary ports by pointing datasource hosts to internal IP addresses, effectively using the Budibase server as an SSRF pivot. Disrupts application functionality by overwriting connection parameters with invalid values, causing the affected datasource and any dependent apps to fail.

Back to search

HIGHCVE-2026-45717Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-45717: Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL.

Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint (GET /api/datasources/:datasourceId). Every authenticated Budibase app user with the BASIC built-in role or higher carries TABLE/WRITE (and therefore TABLE/READ) permissions, and the datasource update controller performs no additional builder check. As a result, any authenticated non-builder app user can submit a PUT request to rewrite a datasource's config object — including the connection host, port, database credentials, or the base url of a REST datasource. Because no network-level SSRF protection is applied to SQL driver connections, redirecting a PostgreSQL/MySQL/MongoDB datasource to an internal IP address succeeds and the attacker can probe or interact with internal services on arbitrary ports. This vulnerability is fixed in 3.38.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authorization bypass in Budibase allows any authenticated app user to overwrite datasource connection parameters via the PUT /api/datasources/:datasourceId endpoint, which is incorrectly protected by TABLE/READ permission rather than builder-level access. The vulnerability is reachable over the network with a low-privilege account and requires no victim interaction. Successful exploitation gives an attacker full read, write, and denial-of-service capability over affected datasources, plus the ability to redirect database connections to internal network addresses for server-side request forgery (SSRF). HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-45717 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Budibase. Any image containing a Budibase version below 3.38.1 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and the finding is weighted against each environment's configured compliance policy before being routed to the appropriate team inbox within the customer org. Per-environment risk context, such as whether the affected image is deployed in a public-facing or internal-only workload, is surfaced alongside the finding.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 3.38.1 or a later fix is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the upstream patch lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Budibase API service via HTTP/HTTPS.
AuthenticationRequired
Any low-privilege Budibase account with the BASIC built-in role or higher is sufficient; no admin or builder credentials are needed.
Victim interactionNot required
The attacker sends a direct PUT request to the API; no action from another user is required.
Attack complexityDetail
Exploitation is straightforward and condition-free: the attacker constructs a valid PUT request body with attacker-controlled connection parameters, and the server applies the change without additional checks.

Blast Radius

Reads database credentials stored in or derivable from overwritten datasource configs, exposing usernames, passwords, and connection strings.
Modifies datasource connection targets to redirect SQL or REST driver connections to attacker-controlled hosts, enabling credential harvesting and data interception.
Probes or interacts with internal services on arbitrary ports by pointing datasource hosts to internal IP addresses, effectively using the Budibase server as an SSRF pivot.
Disrupts application functionality by overwriting connection parameters with invalid values, causing the affected datasource and any dependent apps to fail.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against all images containing Budibase below 3.38.1 within minutes of advisory ingestion, covering both registry-stored and pipeline-built images. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically once version 3.38.1 is published. In the interim, compensating controls worth considering include isolating Budibase API pods behind a network policy that restricts which internal CIDR ranges the Budibase service can reach (limiting SSRF blast radius), applying egress filtering on the Budibase service account to block connections to RFC-1918 address space, and restricting the PUT /api/datasources/:datasourceId route at the ingress or API-gateway layer to builder-role sessions only if your deployment permits that kind of rule injection. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and PR against affected workloads will be opened automatically when the upstream patch lands; where compliance policy requires manual approval, the PR will be queued for review rather than merged automatically.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Budibase / budibase
< 3.38.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References