Budibase open-source low-code platform prior to version 3.39.0 contains a privilege escalation vulnerability that allows Basic users to exploit inadequate permission checks on single-datasource GET and PUT routes. The vulnerability enables attackers to read REST datasource configurations, manipulate the config.url while preserving redacted authorization placeholders, and trigger relative-path REST queries. This results in server-side disclosure of builder-configured REST Authorization secrets to attacker-controlled listeners. The issue stems from routes being guarded by generic TABLE READ permissions rather than proper Builder/Admin permissions or datasource-specific ownership checks. Fixed in version 3.39.0.