CVE-2026-45718
MEDIUMBudibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows
Title source: cnaDescription
Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view's security filters. This vulnerability is fixed in 3.38.1.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q
X_Refsource_Misc x_refsource_misc
https://github.com/Budibase/budibase/releases/tag/3.38.1
Scores
CVSS v3
5.4
EPSS
0.0015
EPSS Percentile
4.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (2)
Budibase/budibase
< 3.38.1
npm/budibase
0 - 3.38.1npm
Published
May 27, 2026
Tracked Since
May 27, 2026