PT-2026-41796 · Budibase+2 · Budibase

Offset

·

Published

2026-05-18

·

Updated

2026-05-27

·

CVE-2026-45718

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.1
Description The row action trigger endpoint "POST /api/tables/:sourceId/actions/:actionId/trigger" fails to validate if the user-supplied rowId is within the scope of the view's row filters. This allows a user with access to a filtered view to trigger row actions on any row in the underlying table, including those explicitly excluded by security filters. This occurs because the system discards the view context and fetches the row directly from the table using the sdk.rows.find() function, bypassing the enforcement of view query filters. This can lead to unauthorized data modification, information disclosure, or the execution of unauthorized actions via automations.
Recommendations Update to version 3.38.1. As a temporary workaround, restrict access to the "POST /api/tables/:sourceId/actions/:actionId/trigger" endpoint to only highly trusted users until the update is applied.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45718
GHSA-3263-V5V9-XQ8Q

Affected Products

Budibase