PT-2026-41796 · Budibase+2 · Budibase
Offset
·
Published
2026-05-18
·
Updated
2026-05-27
·
CVE-2026-45718
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Budibase versions prior to 3.38.1
Description
The row action trigger endpoint "POST /api/tables/:sourceId/actions/:actionId/trigger" fails to validate if the user-supplied
rowId is within the scope of the view's row filters. This allows a user with access to a filtered view to trigger row actions on any row in the underlying table, including those explicitly excluded by security filters. This occurs because the system discards the view context and fetches the row directly from the table using the sdk.rows.find() function, bypassing the enforcement of view query filters. This can lead to unauthorized data modification, information disclosure, or the execution of unauthorized actions via automations.Recommendations
Update to version 3.38.1.
As a temporary workaround, restrict access to the "POST /api/tables/:sourceId/actions/:actionId/trigger" endpoint to only highly trusted users until the update is applied.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Budibase