Komyunghan

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.38.1 **Description** Budibase contains a route-level authorization misconfiguration where the endpoint "PUT /api/datasources/:datasourceId" is incorrectly assigned to the `authorizedRoutes` group with `TABLE/READ` permissions instead of the `builderRoutes` group. This allows any authenticated user with the `BASIC` built-in role or higher to submit requests to rewrite a datasource's `config` object, including the `host`, `port`, database credentials, or the base `url` of a REST datasource. Because SQL driver connections lack network-level Server-Side Request Forgery (SSRF) protection—a technique where an attacker forces a server to make requests to an unintended location—redirecting a PostgreSQL, MySQL, or MongoDB datasource to an internal IP address allows an attacker to probe or interact with internal services on arbitrary ports. Additionally, this can be used to disrupt service by injecting invalid configurations, causing a Denial of Service (DoS) for all application queries depending on that datasource. **Recommendations** Update to version 3.38.1.