Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasource…

Budibase open-source low-code platform prior to version 3.38.1 contains an authorization bypass vulnerability in its REST API for datasource management. The PUT /api/datasources/:datasourceId endpoint uses incorrect TABLE/READ permissions instead of proper write permissions, allowing any authenticated user with BASIC role to modify datasource configurations. Attackers can rewrite database connection details including host, port, and credentials. The vulnerability enables Server-Side Request Forgery (SSRF) attacks against internal services through PostgreSQL/MySQL/MongoDB connections due to lack of network-level protection. This allows probing and interaction with internal services on arbitrary ports.