Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL.
Published: 2026-03-09
Score: 9.1 Critical
EPSS: 15.3% Moderate
KEV: No
Impact: Authentication Bypass
Action: Apply Patch
AI Analysis

Impact

Budibase is a low‑code platform that protects all server‑side APIs with an authorized() middleware. In versions 3.31.4 and earlier, the middleware can be bypassed by including a webhook pattern in the query string of any request. The isWebhookEndpoint() function uses an unanchored regular expression that evaluates the full URL, including query parameters. When the pattern matches, the middleware immediately calls next() and skips every authentication, role check, and CSRF protection. This flaw, a classic input validation weakness (CWE‑74), allows a remote, unauthenticated attacker to invoke any server‑side API simply by appending a string such as ?/webhooks/trigger to the URL.

Affected Systems

Budibase v3.31.4 and earlier are affected. The vulnerable code resides in the Budibase server's authorized() middleware, which is part of all Budibase installations running these versions. No other vendors are listed in the CNA data.

Risk and Exploitability

With a CVSS base score of 9.1, the vulnerability qualifies as Critical. The EPSS score of 15% indicates that exploitation is currently more likely. The flaw is not yet listed in the KEV catalog. An attacker only needs network access to the Budibase server and the ability to construct a URL containing a webhook pattern; no authentication credentials are required. Once the URL is satisfied the request proceeds as if the user were fully authenticated, granting full access to any API endpoint and sensitive data.

Generated by OpenCVE AI on April 20, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to the latest version that contains the fix for the authorized middleware.
  • If an upgrade is not immediately possible, block or strip any query parameters that contain the string "/webhooks/" (or any known webhook pattern) before they reach the application layer.
  • Implement network perimeter controls such as a WAF or firewall rules to deny requests that attempt to include webhook‑style query strings targeting the Budibase API.

Generated by OpenCVE AI on April 20, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL.
Title Budibase Universal Auth Bypass via Webhook Query Param Injection
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T15:20:48.703Z

Reserved: 2026-03-09T16:33:42.914Z

Link: CVE-2026-31816

cve-icon Vulnrichment

Updated: 2026-03-10T15:19:36.045Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T21:16:20.733

Modified: 2026-03-13T17:33:41.703

Link: CVE-2026-31816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:15:09Z

Weaknesses