CVE-2026-46427 HIGH

CVE-2026-46427: Budibase: Snowflake private key returned unmasked from datasource API to BASIC users

Vendor Budibase

Product budibase

Weakness CWE-200 · Info exposure

Published May 27, 2026

Last update May 28, 2026

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as SENSITIVE_LONGFORM, which the filter skips. GET /api/datasources/:datasourceId lives on authorizedRoutes guarded by PermissionType.TABLE + PermissionLevel.READ. An authenticated BASIC user with any app role and call the endpoint and receive the full Snowflake PEM in plaintext. This vulnerability is fixed in 3.38.3.

Key dates

02Disclosure timeline

May 27, 2026 CVE published

May 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-46427

Related vulnerabilities

CVE-2026-46427: Budibase: Snowflake private key returned unmasked from datasource API to BASIC users

01Description

02Disclosure timeline

03References

04Related CVE