Budibase open-source low-code platform prior to version 3.38.1 contains a privilege escalation vulnerability in its REST API for datasource management. The PUT /api/datasources/:datasourceId endpoint is misconfigured with TABLE/READ permission instead of proper authorization, allowing any authenticated non-builder app user to modify datasource configurations. Attackers can exploit this to change connection parameters including host, port, database credentials, and REST datasource URLs. The vulnerability enables Server-Side Request Forgery (SSRF) attacks against internal services since no network-level protection is applied to SQL driver connections. This allows attackers to probe and interact with internal services on arbitrary ports by redirecting PostgreSQL, MySQL, or MongoDB datasources to internal IP addresses.