Budibase Vulnerabilities Lead to Inappropriate Webhook Schema Modifications

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the npm/@budibase/server package, affecting versions. These vulnerabilities include Server-Side Request Forgery (SSRF), authorization bypass, and privilege escalation, which can lead to unauthorized access, data exfiltration, and disruption of services. The business risk and impact are significant, as these vulnerabilities can be exploited by attackers to gain access to sensitive data and disrupt business operations.[emaillocker id="1283"]

CVE-2026-48152 with a CVSS score of 8.1 - This vulnerability allows a Basic app user to exfiltrate stored REST datasource authentication by rewriting the datasource base URL, potentially leading to unauthorized access to sensitive data.

CVE-2026-48151 with a CVSS score of 7.5 - This vulnerability enables an unauthenticated caller to update the body schema for a known webhook and mutate the corresponding automation trigger output schema, potentially leading to data tampering and disruption of services.

CVE-2026-48150 with a CVSS score of 9.0 - This vulnerability allows a workspace-scoped builder to escalate to a global admin via the /api/public/v1/roles/assign endpoint, potentially leading to unauthorized access and control of the system.

CVE-2026-48146 with a CVSS score of 7.7 - This vulnerability enables a user with a BUILDER role to point the OAuth2 token URL to internal services, potentially leading to exfiltration of sensitive data.

RECOMMENDATION:

• We recommend you to update @budibase/server to below version:
• https://github.com/Budibase/budibase/releases

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-3gp5-q4jw-3v94
https://github.com/advisories/GHSA-qhv3-wjg8-6fx6
https://github.com/advisories/GHSA-6xp4-cf37-ppjh
https://github.com/advisories/GHSA-g6qx-g4pr-92v7