How is CVE-2026-48152 exploited?

Network reachability (required): The attacker must reach the Budibase application over the network to call the datasource GET and PUT routes and to trigger a saved REST query. Authentication (required): A low-privilege Basic app user account is sufficient; no admin or builder-level access is needed to exploit this vulnerability. Victim interaction (not-required): The attacker executes the attack entirely through their own authenticated API calls; no other user needs to take any action. Attack complexity (info): The exploit is reliable and condition-free: the attacker reads the datasource, rewrites the URL, and triggers the query in a deterministic sequence with no race conditions or special memory-layout requirements.

What is the impact of CVE-2026-48152?

The attacker receives the full plaintext REST Authorization secret (API key, bearer token, or similar credential) that the builder configured on the datasource, because the server applies it to the outbound request sent to the attacker-controlled URL. The attacker can modify the datasource configuration (specifically config.url) for any accessible REST datasource, redirecting future legitimate app traffic and query results to an external host. Any downstream system protected solely by the exfiltrated credential is now reachable by the attacker without further exploitation of Budibase.

Back to search

HIGHCVE-2026-48152Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-48152: Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL

Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which includes table read/write and query write. A Basic user can therefore read an existing REST datasource, receive redacted authConfigs values, submit an update that changes only config.url while keeping the redacted placeholders, and trigger an existing saved relative-path REST query. During update, mergeConfigs() restores the old stored secret when it sees the redaction placeholder. During query execution, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the resolved stored auth headers. The result is server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener. This vulnerability is fixed in 3.39.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a server-side request forgery combined with a secrets-exfiltration vulnerability in Budibase, an open-source low-code platform. An authenticated attacker with only a Basic app user account can rewrite a REST datasource's base URL to an attacker-controlled host, then trigger a saved query, causing the Budibase server to send the builder-configured REST Authorization secret to the attacker's listener over the network. Successful exploitation gives the attacker full read access to stored REST auth credentials and allows tampering with datasource configuration. No patched image rebuild is currently available on HarborGuard because no upstream fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-48152 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Budibase.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and weighting the result against each environment's compliance policy to route findings to the appropriate team inbox within the customer organization.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the Budibase maintainers publish a fixed release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Budibase application over the network to call the datasource GET and PUT routes and to trigger a saved REST query.
AuthenticationRequired
A low-privilege Basic app user account is sufficient; no admin or builder-level access is needed to exploit this vulnerability.
Victim interactionNot required
The attacker executes the attack entirely through their own authenticated API calls; no other user needs to take any action.
Attack complexityDetail
The exploit is reliable and condition-free: the attacker reads the datasource, rewrites the URL, and triggers the query in a deterministic sequence with no race conditions or special memory-layout requirements.

Blast Radius

The attacker receives the full plaintext REST Authorization secret (API key, bearer token, or similar credential) that the builder configured on the datasource, because the server applies it to the outbound request sent to the attacker-controlled URL.
The attacker can modify the datasource configuration (specifically config.url) for any accessible REST datasource, redirecting future legitimate app traffic and query results to an external host.
Any downstream system protected solely by the exfiltrated credential is now reachable by the attacker without further exploitation of Budibase.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been released, HarborGuard monitors the Budibase advisory on every ingest cycle and will surface a patched-image rebuild the moment version 3.39.0 or a successor fix is published. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will follow automatically. In the interim, compensating controls worth applying include restricting outbound HTTP egress from the Budibase server pod to a known-good allowlist (blocking requests to arbitrary attacker-controlled hosts), enforcing network policy so only trusted services can reach the Budibase internal API, and, where the compliance policy permits, temporarily revoking or rotating REST datasource credentials so any exfiltrated secrets are invalidated. HarborGuard will emit a re-triage notification as soon as upstream patch availability changes.

See how HarborGuard automates this

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Budibase / budibase
< 3.39.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

https://github.com/Budibase/budibase/security/advisories/GHSA-3gp5-q4jw-3v94