CVE-2026-45718: Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows

May 18, 2026 (updated June 8, 2026)

The row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view’s row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view’s security filters.

References

github.com/Budibase/budibase/releases/tag/3.38.1
github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q
github.com/advisories/GHSA-3263-v5v9-xq8q
nvd.nist.gov/vuln/detail/CVE-2026-45718

Code Behaviors & Features

Detect and mitigate CVE-2026-45718 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →