Budibase, an open-source low-code platform, has a vulnerability prior to version 3.39.0 where single-datasource GET and PUT routes are inadequately protected. The vulnerability allows Basic users to exploit inadequate permission checks on datasource routes. Attackers can manipulate REST datasource configurations by changing the config.url while keeping redacted placeholders. During query execution, the platform discloses builder-configured REST Authorization secrets to attacker-controlled listeners. The issue stems from generic TABLE READ permissions instead of proper Builder/Admin or datasource-specific checks. This results in server-side disclosure of sensitive authorization credentials to unauthorized parties.