CVE-2026-42239 - Vulnerability Details

- Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover

Description

Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.

Published: 2026-05-07

Score: 8.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Budibase authentication mechanism allows the session cookie, which contains a JWT, to be set with httpOnly disabled, secure omitted, and sameSite missing. Because the cookie is readable by client-side JavaScript, any injected cross‑site scripting code can retrieve the token and gain persistent full access to the victim’s account. The vulnerability presents a direct path for an attacker to hijack accounts without further compromise, impacting confidentiality and integrity of user data.

Affected Systems

Budibase, an open‑source low‑code platform, is affected in all releases prior to version 3.35.10. Users must update to 3.35.10 or later to receive the fix that sets httpOnly, secure, and sameSite attributes for the auth cookie.

Risk and Exploitability

The CVSS score of 8.1 classifies this issue as high severity. With no EPSS value available and the vulnerability absent from the CISA KEV catalog, official indicators do not quantify current exploitation probability, but the straightforward XSS attack path suggests a realistic risk for environments with web vulnerabilities. Attackers need only inject script to read the cookie, bypassing any authentication, and can then impersonate the user for the entire session duration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Budibase

budibase

affected

Version	Status	Constraints
`< 3.35.10`	affected	—

No data.

Vendor Product Confidence Versions

Budibase

100%

Version	Status	Scheme	Platform
`[0,3.35.10)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Budibase to version 3.35.10 or later, which sets httpOnly, secure, and sameSite attributes for the auth cookie
Apply a Content Security Policy that restricts inline scripts to reduce the risk of XSS, and review the application for remaining XSS vectors
Conduct a comprehensive audit of the application to identify and remediate any additional XSS vectors

Generated by OpenCVE AI on May 7, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4f9j-vr4p-642r	Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Budibase/budibase/releases/tag/3.35.10
https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r

History

Thu, 07 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Budibase Budibase budibase
Vendors & Products		Budibase Budibase budibase

Thu, 07 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 07 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.
Title		Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover
Weaknesses		CWE-1004
References		https://github.com/Budibase/budibase/releases/tag/3.35.10 https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Budibase Budibase

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T18:49:59.180Z

Updated: 2026-05-07T19:39:45.605Z

Reserved: 2026-04-25T05:37:12.118Z

Link: CVE-2026-42239

Vulnrichment

Updated: 2026-05-07T19:39:41.873Z

NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:44.097

Modified: 2026-05-07T20:35:58.117

Link: CVE-2026-42239

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T21:15:11Z

Weaknesses

CWE-1004

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object