How is CVE-2026-46427 exploited?

Network reachability (required): The vulnerable API endpoint is exposed over the network, so an attacker must be able to reach the Budibase server via HTTP/HTTPS. Authentication (required): Any low-privilege account with a basic app role is sufficient; no admin or elevated credentials are needed beyond a valid authenticated session. Victim interaction (not-required): The attacker calls the datasource API directly and receives the private key in the response; no action from another user is required. Attack complexity (info): Exploitation is reliable and condition-free: the attacker issues a single authenticated GET request to a predictable endpoint to retrieve the PEM.

What is the impact of CVE-2026-46427?

Reads the full Snowflake private key (PEM) in plaintext, enabling direct authentication to the target Snowflake account outside of Budibase. Accesses any data stored in the connected Snowflake instance using the stolen key, including tables, schemas, and stored credentials. Bypasses Budibase's own access controls entirely by connecting to Snowflake natively with the extracted key.

Back to search

HIGHCVE-2026-46427Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-46427: Budibase: Snowflake private key returned unmasked from datasource API to BASIC users

Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as SENSITIVE_LONGFORM, which the filter skips. GET /api/datasources/:datasourceId lives on authorizedRoutes guarded by PermissionType.TABLE + PermissionLevel.READ. An authenticated BASIC user with any app role and call the endpoint and receive the full Snowflake PEM in plaintext. This vulnerability is fixed in 3.38.3.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a sensitive-data exposure vulnerability in Budibase, an open-source low-code platform. The flaw is reachable over the network by any authenticated user with a basic app role, requiring no elevated privileges. Successful exploitation lets an attacker retrieve a Snowflake private key (PEM format) in plaintext from the datasource API, which can be used to authenticate directly to the victim's Snowflake account outside of Budibase. A patched-image rebuild at version 3.38.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-46427 is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Budibase. Any image whose Budibase version falls below 3.38.3 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.7 HIGH and weights it against each environment's compliance policy, so teams with stricter data-protection requirements see it surfaced with elevated priority. Triage alerts are routed to the appropriate team inbox within each customer organization based on their configured routing rules.

Available

Patch

A patched-image rebuild at Budibase 3.38.3 becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable API endpoint is exposed over the network, so an attacker must be able to reach the Budibase server via HTTP/HTTPS.
AuthenticationRequired
Any low-privilege account with a basic app role is sufficient; no admin or elevated credentials are needed beyond a valid authenticated session.
Victim interactionNot required
The attacker calls the datasource API directly and receives the private key in the response; no action from another user is required.
Attack complexityDetail
Exploitation is reliable and condition-free: the attacker issues a single authenticated GET request to a predictable endpoint to retrieve the PEM.

Blast Radius

Reads the full Snowflake private key (PEM) in plaintext, enabling direct authentication to the target Snowflake account outside of Budibase.
Accesses any data stored in the connected Snowflake instance using the stolen key, including tables, schemas, and stored credentials.
Bypasses Budibase's own access controls entirely by connecting to Snowflake natively with the extracted key.

How HarborGuard Handles This

Available on HarborGuard: images running Budibase below 3.38.3 are flagged as soon as the CVE is ingested, typically within minutes of advisory publication. Where compliance policy permits, HarborGuard can trigger a rebuild at 3.38.3, run a regression test, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Because no interaction is required to exploit this endpoint, teams that cannot immediately rebuild should consider applying network policy to restrict access to the Budibase API surface to trusted internal ranges only, reducing the pool of callers who can reach GET /api/datasources/:datasourceId until the patched image is deployed.

See how HarborGuard automates this

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Budibase / budibase
< 3.38.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

https://github.com/Budibase/budibase/security/advisories/GHSA-qv26-4hvj-m7fv