Vulnerability-Lookup

CVE-2026-45718 (GCVE-0-2026-45718)

Vulnerability from cvelistv5 – Published: 2026-05-27 17:07 – Updated: 2026-05-28 15:08

Title

Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows

Summary

Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view's security filters. This vulnerability is fixed in 3.38.1.

Severity

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/Budibase/budibase/security/adv…	x_refsource_CONFIRM
https://github.com/Budibase/budibase/releases/tag…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Budibase	budibase	Affected: < 3.38.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45718",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T15:07:35.412129Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T15:08:02.758Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "budibase",
          "vendor": "Budibase",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.38.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view\u0027s row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view\u0027s security filters. This vulnerability is fixed in 3.38.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T17:07:59.856Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q"
        },
        {
          "name": "https://github.com/Budibase/budibase/releases/tag/3.38.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Budibase/budibase/releases/tag/3.38.1"
        }
      ],
      "source": {
        "advisory": "GHSA-3263-v5v9-xq8q",
        "discovery": "UNKNOWN"
      },
      "title": "Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45718",
    "datePublished": "2026-05-27T17:07:59.856Z",
    "dateReserved": "2026-05-13T05:51:48.666Z",
    "dateUpdated": "2026-05-28T15:08:02.758Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45718",
      "date": "2026-05-29",
      "epss": "0.00025",
      "percentile": "0.07621"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45718\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-27T18:16:25.873\",\"lastModified\":\"2026-05-28T16:16:26.407\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view\u0027s row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view\u0027s security filters. This vulnerability is fixed in 3.38.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"references\":[{\"url\":\"https://github.com/Budibase/budibase/releases/tag/3.38.1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45718\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-28T15:07:35.412129Z\"}}}], \"references\": [{\"url\": \"https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-28T15:07:58.205Z\"}}], \"cna\": {\"title\": \"Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows\", \"source\": {\"advisory\": \"GHSA-3263-v5v9-xq8q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Budibase\", \"product\": \"budibase\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.38.1\"}]}], \"references\": [{\"url\": \"https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q\", \"name\": \"https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Budibase/budibase/releases/tag/3.38.1\", \"name\": \"https://github.com/Budibase/budibase/releases/tag/3.38.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view\u0027s row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view\u0027s security filters. This vulnerability is fixed in 3.38.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-27T17:07:59.856Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45718\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-28T15:08:02.758Z\", \"dateReserved\": \"2026-05-13T05:51:48.666Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-27T17:07:59.856Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45718

Vulnerability from fkie_nvd - Published: 2026-05-27 18:16 - Updated: 2026-05-28 16:16

Severity

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Budibase/budibase/releases/tag/3.38.1
	security-advisories@github.com	https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view\u0027s row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view\u0027s security filters. This vulnerability is fixed in 3.38.1."
    }
  ],
  "id": "CVE-2026-45718",
  "lastModified": "2026-05-28T16:16:26.407",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-27T18:16:25.873",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Budibase/budibase/releases/tag/3.38.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-3263-V5V9-XQ8Q

Vulnerability from github – Published: 2026-05-18 17:44 – Updated: 2026-05-18 17:44

Summary

Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows

Details

Summary

The row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view's security filters.

Details

View filters in Budibase are treated as a security boundary. The search path (packages/server/src/sdk/workspace/rows/search.ts:93-94) explicitly enforces view query filters with the comment: "that could let users find rows they should not be allowed to access."

However, the row action trigger path bypasses this enforcement entirely:

Route (packages/server/src/api/routes/rowAction.ts:55-59): Accepts a sourceId that can be a viewId.
Middleware (packages/server/src/middleware/triggerRowActionAuthorised.ts:24-55): Correctly validates that the user has READ permission on the view and that the row action is enabled for that view. However, at line 55 it sets ctx.params.tableId = tableId where tableId is the underlying table extracted from the viewId — the viewId is discarded.

// triggerRowActionAuthorised.ts:24-26
const tableId = isTableIdOrExternalTableId(sourceId)
  ? sourceId
  : getTableIdFromViewId(sourceId)  // extracts underlying table

// Line 55: viewId context is lost
ctx.params.tableId = tableId

Controller (packages/server/src/api/controllers/rowAction/run.ts:11): Reads only tableId from params — the view context is gone.

const { tableId, actionId } = ctx.params
const { rowId } = ctx.request.body
await sdk.rowActions.run(tableId, actionId, rowId, ctx.user)

SDK (packages/server/src/sdk/workspace/rowActions/crud.ts:254): Fetches the row using sdk.rows.find(tableId, rowId) — directly from the table with no view filter enforcement.

const row = await sdk.rows.find(tableId, rowId)  // No view filter check

The sdk.rows.find function (packages/server/src/sdk/workspace/rows/internal.ts:67-88) fetches the row by ID directly from the database, only validating that row.tableId === tableId. It never checks whether the row matches the view's query filters.

PoC

# Prerequisites:
# 1. Create a table with a "status" column containing rows: "active" and "archived"
# 2. Create a view filtering to status="active", assign it to BASIC role
# 3. Enable a row action for that view
# 4. Note the rowId of an "archived" row (not visible through the view)

# As a BASIC-role user with access only to the filtered view:
# Trigger the row action on a row OUTSIDE the view's filter scope

curl -X POST 'http://localhost:10000/api/tables/<viewId>/actions/<actionId>/trigger' \
  -H 'Cookie: budibase:auth=<basic_user_jwt>' \
  -H 'Content-Type: application/json' \
  -d '{"rowId": "<archived_row_id>"}'

# Expected: 403 or 404 (row not in view scope)
# Actual: 200 {"message": "Row action triggered."}
# The automation executes with the full archived row data,
# despite view filters excluding it from the user's access.

Impact

A user with BASIC role access to a filtered view can execute row actions (automations) on any row in the underlying table, including rows hidden by the view's security filters. The impact depends on what the triggered automation does:

Information disclosure: The automation receives the full row data as input, which may contain fields/values the user should not see.
Unauthorized data modification: If the automation modifies rows, the attacker can cause changes to rows outside their authorized scope.
Unauthorized actions: If the automation sends notifications, calls webhooks, or performs other side effects, the attacker can trigger these for out-of-scope rows.

This breaks the security model established by view filters, which are explicitly documented as preventing users from accessing rows they should not see.

Recommended Fix

The middleware should pass the viewId to the controller, and the SDK run function should validate the row against the view's filters before executing the automation.

In packages/server/src/middleware/triggerRowActionAuthorised.ts, preserve the sourceId:

// Line 55: preserve the original sourceId for downstream filter validation
ctx.params.tableId = tableId
ctx.params.sourceId = viewId || tableId  // ADD THIS

In packages/server/src/api/controllers/rowAction/run.ts, pass the sourceId:

export async function run(
  ctx: Ctx<RowActionTriggerRequest, RowActionTriggerResponse>
) {
  const { tableId, actionId, sourceId } = ctx.params
  const { rowId } = ctx.request.body

  await sdk.rowActions.run(tableId, actionId, rowId, ctx.user, sourceId)
  ctx.body = { message: "Row action triggered." }
}

In packages/server/src/sdk/workspace/rowActions/crud.ts, validate the row against view filters:

export async function run(
  tableId: any,
  rowActionId: any,
  rowId: string,
  user: User,
  sourceId?: string
) {
  const table = await sdk.tables.getTable(tableId)
  if (!table) {
    throw new HTTPError("Table not found", 404)
  }

  // If triggered from a view, validate the row is within the view's scope
  if (sourceId && isViewId(sourceId)) {
    const result = await sdk.rows.search({
      viewId: sourceId,
      query: { equal: { _id: rowId } },
      limit: 1,
    })
    if (!result.rows.length) {
      throw new HTTPError("Row not found in view scope", 403)
    }
  }

  const { automationId } = await get(tableId, rowActionId)
  const automation = await sdk.automations.get(automationId)
  const row = await sdk.rows.find(tableId, rowId)
  // ... rest unchanged
}

Severity

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "budibase"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.38.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:44:22Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe row action trigger endpoint (`POST /api/tables/:sourceId/actions/:actionId/trigger`) fails to validate that the user-supplied `rowId` is within the scope of the view\u0027s row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view\u0027s security filters.\n\n## Details\n\nView filters in Budibase are treated as a security boundary. The search path (`packages/server/src/sdk/workspace/rows/search.ts:93-94`) explicitly enforces view query filters with the comment: *\"that could let users find rows they should not be allowed to access.\"*\n\nHowever, the row action trigger path bypasses this enforcement entirely:\n\n1. **Route** (`packages/server/src/api/routes/rowAction.ts:55-59`): Accepts a `sourceId` that can be a viewId.\n\n2. **Middleware** (`packages/server/src/middleware/triggerRowActionAuthorised.ts:24-55`): Correctly validates that the user has READ permission on the view and that the row action is enabled for that view. However, at line 55 it sets `ctx.params.tableId = tableId` where `tableId` is the **underlying table** extracted from the viewId \u2014 the viewId is discarded.\n\n```typescript\n// triggerRowActionAuthorised.ts:24-26\nconst tableId = isTableIdOrExternalTableId(sourceId)\n  ? sourceId\n  : getTableIdFromViewId(sourceId)  // extracts underlying table\n\n// Line 55: viewId context is lost\nctx.params.tableId = tableId\n```\n\n3. **Controller** (`packages/server/src/api/controllers/rowAction/run.ts:11`): Reads only `tableId` from params \u2014 the view context is gone.\n\n```typescript\nconst { tableId, actionId } = ctx.params\nconst { rowId } = ctx.request.body\nawait sdk.rowActions.run(tableId, actionId, rowId, ctx.user)\n```\n\n4. **SDK** (`packages/server/src/sdk/workspace/rowActions/crud.ts:254`): Fetches the row using `sdk.rows.find(tableId, rowId)` \u2014 directly from the table with no view filter enforcement.\n\n```typescript\nconst row = await sdk.rows.find(tableId, rowId)  // No view filter check\n```\n\nThe `sdk.rows.find` function (`packages/server/src/sdk/workspace/rows/internal.ts:67-88`) fetches the row by ID directly from the database, only validating that `row.tableId === tableId`. It never checks whether the row matches the view\u0027s query filters.\n\n## PoC\n\n```bash\n# Prerequisites:\n# 1. Create a table with a \"status\" column containing rows: \"active\" and \"archived\"\n# 2. Create a view filtering to status=\"active\", assign it to BASIC role\n# 3. Enable a row action for that view\n# 4. Note the rowId of an \"archived\" row (not visible through the view)\n\n# As a BASIC-role user with access only to the filtered view:\n# Trigger the row action on a row OUTSIDE the view\u0027s filter scope\n\ncurl -X POST \u0027http://localhost:10000/api/tables/\u003cviewId\u003e/actions/\u003cactionId\u003e/trigger\u0027 \\\n  -H \u0027Cookie: budibase:auth=\u003cbasic_user_jwt\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"rowId\": \"\u003carchived_row_id\u003e\"}\u0027\n\n# Expected: 403 or 404 (row not in view scope)\n# Actual: 200 {\"message\": \"Row action triggered.\"}\n# The automation executes with the full archived row data,\n# despite view filters excluding it from the user\u0027s access.\n```\n\n## Impact\n\nA user with BASIC role access to a filtered view can execute row actions (automations) on **any row** in the underlying table, including rows hidden by the view\u0027s security filters. The impact depends on what the triggered automation does:\n\n- **Information disclosure**: The automation receives the full row data as input, which may contain fields/values the user should not see.\n- **Unauthorized data modification**: If the automation modifies rows, the attacker can cause changes to rows outside their authorized scope.\n- **Unauthorized actions**: If the automation sends notifications, calls webhooks, or performs other side effects, the attacker can trigger these for out-of-scope rows.\n\nThis breaks the security model established by view filters, which are explicitly documented as preventing users from accessing rows they should not see.\n\n## Recommended Fix\n\nThe middleware should pass the `viewId` to the controller, and the SDK `run` function should validate the row against the view\u0027s filters before executing the automation.\n\nIn `packages/server/src/middleware/triggerRowActionAuthorised.ts`, preserve the sourceId:\n\n```typescript\n// Line 55: preserve the original sourceId for downstream filter validation\nctx.params.tableId = tableId\nctx.params.sourceId = viewId || tableId  // ADD THIS\n```\n\nIn `packages/server/src/api/controllers/rowAction/run.ts`, pass the sourceId:\n\n```typescript\nexport async function run(\n  ctx: Ctx\u003cRowActionTriggerRequest, RowActionTriggerResponse\u003e\n) {\n  const { tableId, actionId, sourceId } = ctx.params\n  const { rowId } = ctx.request.body\n\n  await sdk.rowActions.run(tableId, actionId, rowId, ctx.user, sourceId)\n  ctx.body = { message: \"Row action triggered.\" }\n}\n```\n\nIn `packages/server/src/sdk/workspace/rowActions/crud.ts`, validate the row against view filters:\n\n```typescript\nexport async function run(\n  tableId: any,\n  rowActionId: any,\n  rowId: string,\n  user: User,\n  sourceId?: string\n) {\n  const table = await sdk.tables.getTable(tableId)\n  if (!table) {\n    throw new HTTPError(\"Table not found\", 404)\n  }\n\n  // If triggered from a view, validate the row is within the view\u0027s scope\n  if (sourceId \u0026\u0026 isViewId(sourceId)) {\n    const result = await sdk.rows.search({\n      viewId: sourceId,\n      query: { equal: { _id: rowId } },\n      limit: 1,\n    })\n    if (!result.rows.length) {\n      throw new HTTPError(\"Row not found in view scope\", 403)\n    }\n  }\n\n  const { automationId } = await get(tableId, rowActionId)\n  const automation = await sdk.automations.get(automationId)\n  const row = await sdk.rows.find(tableId, rowId)\n  // ... rest unchanged\n}\n```",
  "id": "GHSA-3263-v5v9-xq8q",
  "modified": "2026-05-18T17:44:22Z",
  "published": "2026-05-18T17:44:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Budibase/budibase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/releases/tag/3.38.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows"
}

WID-SEC-W-2026-1477

Vulnerability from csaf_certbund - Published: 2026-05-11 22:00 - Updated: 2026-05-27 22:00

Summary

Budibase: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Budibase ist eine quelloffene Low-Code-Plattform für die Erstellung interner Anwendungen, wie z. B. Verwaltungspanels.

Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Budibase ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen, Code auszuführen oder seine Rechte zu erweitern.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX

CVE-2026-45718

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Budibase <3.38.1 Open Source / Budibase		<3.38.1

CVE-2026-45719

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Budibase <3.38.1 Open Source / Budibase		<3.38.1

Vulnerability 3

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Budibase <3.38.1 Open Source / Budibase		<3.38.1

CVE-2026-45716

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Budibase <3.38.1 Open Source / Budibase		<3.38.1

CVE-2026-45715

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Budibase <3.38.1 Open Source / Budibase		<3.38.1

References

7 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/Budibase/budibase/security/adv…	external
https://github.com/Budibase/budibase/security/adv…	external
https://github.com/Budibase/budibase/security/adv…	external
https://github.com/Budibase/budibase/security/adv…	external
https://github.com/Budibase/budibase/security/adv…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Budibase ist eine quelloffene Low-Code-Plattform f\u00fcr die Erstellung interner Anwendungen, wie z. B. Verwaltungspanels.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Budibase ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen, Code auszuf\u00fchren oder seine Rechte zu erweitern.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1477 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1477.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1477 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1477"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-3263-v5v9-xq8q vom 2026-05-11",
        "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-363w-hvwh-w7m6 vom 2026-05-11",
        "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-363w-hvwh-w7m6"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-86f3-cqpq-wp9m vom 2026-05-11",
        "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-86f3-cqpq-wp9m"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-c54j-xp92-wh28 vom 2026-05-11",
        "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-c54j-xp92-wh28"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-fgqv-jh4g-pvg2 vom 2026-05-11",
        "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-fgqv-jh4g-pvg2"
      }
    ],
    "source_lang": "en-US",
    "title": "Budibase: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-27T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-28T07:28:35.958+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1477",
      "initial_release_date": "2026-05-11T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-11T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-17T22:00:00.000+00:00",
          "number": "2",
          "summary": "CVE erg\u00e4nzt"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "3",
          "summary": "CVE\u0027s erg\u00e4nzt"
        },
        {
          "date": "2026-05-27T22:00:00.000+00:00",
          "number": "4",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-32602, EUVD-2026-32600, EUVD-2026-32599, EUVD-2026-32603"
        }
      ],
      "status": "final",
      "version": "4"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.38.1",
                "product": {
                  "name": "Open Source Budibase \u003c3.38.1",
                  "product_id": "T053845"
                }
              },
              {
                "category": "product_version",
                "name": "3.38.1",
                "product": {
                  "name": "Open Source Budibase 3.38.1",
                  "product_id": "T053845-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:budibase:budibase:3.38.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Budibase"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-45718",
      "product_status": {
        "known_affected": [
          "T053845"
        ]
      },
      "release_date": "2026-05-11T22:00:00.000+00:00",
      "title": "CVE-2026-45718"
    },
    {
      "cve": "CVE-2026-45719",
      "product_status": {
        "known_affected": [
          "T053845"
        ]
      },
      "release_date": "2026-05-11T22:00:00.000+00:00",
      "title": "CVE-2026-45719"
    },
    {
      "product_status": {
        "known_affected": [
          "T053845"
        ]
      },
      "release_date": "2026-05-11T22:00:00.000+00:00"
    },
    {
      "cve": "CVE-2026-45716",
      "product_status": {
        "known_affected": [
          "T053845"
        ]
      },
      "release_date": "2026-05-11T22:00:00.000+00:00",
      "title": "CVE-2026-45716"
    },
    {
      "cve": "CVE-2026-45715",
      "product_status": {
        "known_affected": [
          "T053845"
        ]
      },
      "release_date": "2026-05-11T22:00:00.000+00:00",
      "title": "CVE-2026-45715"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45718 (GCVE-0-2026-45718)

FKIE_CVE-2026-45718

GHSA-3263-V5V9-XQ8Q

Summary

Details

PoC

Impact

Recommended Fix

WID-SEC-W-2026-1477

Tags

Sightings

Nomenclature