CVE-2026-48152

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.0

Description Insufficient permission checks on the single-datasource 'GET' and 'PUT' routes allow users with the Basic app user role to access and modify REST datasource configurations. Because these routes are guarded by generic TABLE READ permissions rather than Builder/Admin or ownership checks, a Basic user can update the config.url variable while maintaining redacted placeholders. When the mergeConfigs() function is called during an update, it restores the stored secret. Subsequently, during query execution, the platform prefixes the attacker-controlled config.url to the relative query path and applies the resolved stored authentication headers, leading to the server-side disclosure of the REST Authorization secret to an external listener.

Recommendations Update to version 3.39.0.