CVE-2026-46427

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.3

Description The removeSecrets() function in the server SDK fails to mask datasource configuration fields unless their schema type is DatasourceFieldType.PASSWORD. Because the Snowflake integration defines the privateKey field as SENSITIVE LONGFORM, it is skipped by the filter. An authenticated user with BASIC permissions and any app role can access the '/api/datasources/:datasourceId' endpoint to retrieve the full Snowflake PEM (Privacy Enhanced Mail) private key in plaintext.

Recommendations Update to version 3.38.3.