An attacker can bypass Budibase’s authentication middleware by exploiting unanchored regular expressions that compare the request URL, including its query string, against publicly accessible paths. By appending a public endpoint string as a query parameter to a protected route, the regular expression matches and the request is allowed through, granting unauthenticated access to resources protected by the middleware. The flaw is an authentication bypass, corresponding to CWE‑287, and enables an attacker to read, alter, or delete data that should be restricted to authorized users.

Affected environment is the Budibase open‑source low‑code platform, any deployment using a release older than 3.35.4. The vulnerable component is the authenticated middleware that performs pattern matching against ctx.request.url. Until version 3.35.4 this component mis‑interprets query strings, allowing the bypass. All Budibase installations relying on these releases are exposed.

The CVSS score is 9.1, indicating critical severity, while the EPSS score is less than 1 %, suggesting low current exploitation probability but non‑zero risk. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely without authentication by crafting a URL that places a known public endpoint into the query string of a protected request. Because the middleware applies the same pattern matching, the request is treated as legitimate, exposing the protected endpoint entirely.