EUVD-2026-32588

🗓️ 27 May 2026 16:56:46Reported by EUVDType

Budibase before 3.39.0 exposed REST datasource secrets to Basic users via read, update, and path prefixing.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-48152	27 May 202616:56	–	attackerkb
Circl	CVE-2026-48152	27 May 202619:01	–	circl
CNNVD	Budibase 安全漏洞	27 May 202600:00	–	cnnvd
CVE	CVE-2026-48152	27 May 202616:56	–	cve
Cvelist	CVE-2026-48152 Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL	27 May 202616:56	–	cvelist
NVD	CVE-2026-48152	27 May 202618:16	–	nvd
Positive Technologies	PT-2026-44063	27 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-48152	5 Jun 202619:13	–	redhatcve
Vulnrichment	CVE-2026-48152 Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL	27 May 202616:56	–	vulnrichment

[
  {
    "enisaIdVendor": [
      {
        "id": "0defee24-f95f-303b-8e15-ac5618506688",
        "vendor": {
          "name": "budibase"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "b0cb04f5-9550-3646-a665-4f9d5a7d455b",
        "product": {
          "name": "budibase",
          "vendor": {
            "name": "budibase"
          }
        },
        "product_version": "< 3.39.0"
      }
    ]
  }
]

Source	Link
github	www.github.com/Budibase/budibase/security/advisories/GHSA-3gp5-q4jw-3v94

27 May 2026 18:41Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.18.1

EPSS0.00047

SSVC