Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, a

Description

Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint (GET /api/datasources/:datasourceId).

Recommendation

Update the @budibase/server package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.38.1
• Patched version(s): 3.38.1

References

• GHSA-44m2-crh7-f4q2
• CVE-2026-45717
• CWE-862
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Opening a malicious website while running a Nuxt dev server could allow read-only access to code - @nuxt/webpack-builder - CVE-2025-24361
• Opening a malicious website while running a Nuxt dev server could allow read-only access to code - @nuxt/vite-builder - CVE-2025-24360
• Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API - CVE-2026-45719
• Opening a malicious website while running a Nuxt dev server could allow read-only access to code - CVE-2025-24361

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@budibase/server