CVE-2026-45718 | THREATINT

Description

Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view's security filters. This vulnerability is fixed in 3.38.1.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-05-28 | Assigner GitHub_M

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-863: Incorrect Authorization

Product status

< 3.38.1

affected

References

github.com/...dibase/security/advisories/GHSA-3263-v5v9-xq8q exploit

github.com/...dibase/security/advisories/GHSA-3263-v5v9-xq8q

github.com/Budibase/budibase/releases/tag/3.38.1

cve.org (CVE-2026-45718)

nvd.nist.gov (CVE-2026-45718)

Download JSON