Description
Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. The CSRF middleware in the Budibase Worker uses this matching system to decide whether to skip CSRF token validation. An unauthenticated attacker can forge state-changing cross-origin requests against any Worker API endpoint by injecting a public route pattern into the query string, causing the CSRF middleware to skip token validation entirely. This allows actions such as sending admin invites, modifying global configuration, and managing users without a valid CSRF token. This vulnerability is fixed in 3.35.4.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from unanchored regular expressions generated in the Budibase backend core when compiling route patterns. These expressions are tested against the full request URL, including the query string, allowing an attacker to inject a public route pattern that causes the CSRF middleware to skip token validation for any Worker API endpoint. As a result, an unauthenticated attacker can send state‑changing requests such as admin invites, configuration changes, and user management actions without providing a CSRF token. The CVSS score of 6.5 indicates a moderate severity, reflecting the potential for elevated privileges without authentication.

Affected Systems

Budibase products prior to version 3.35.4 are affected. The issue is present in the backend core matchers used by the Budibase Worker.

Risk and Exploitability

The risk is moderate, as reflected by the CVSS score, and exploitation requires only that an attacker can craft a request to a Worker API endpoint reachable from the internet. No authentication or privileged access is required—any remote attacker can construct a query string that includes a public route pattern to trigger the bypass. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known mass exploitation. However, the nature of the flaw allows an attacker to execute privileged actions on the target system without CSRF protection, which constitutes a clear privilege escalation vector.

Generated by OpenCVE AI on May 27, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Budibase 3.35.4 patch or later to resolve the regex compilation and CSRF bypass flaw.
  • If an immediate upgrade is not feasible, configure the Worker to reject public route patterns supplied via the query string or remove the ability to inject public routes, thereby preventing the bypass.
  • Confirm that the CSRF middleware is active and enforces token validation on all state‑changing endpoints, and consider implementing additional input validation for query strings to mitigate similar risks.

Generated by OpenCVE AI on May 27, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wxq7-x3qp-vcr8 Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
History

Thu, 28 May 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. The CSRF middleware in the Budibase Worker uses this matching system to decide whether to skip CSRF token validation. An unauthenticated attacker can forge state-changing cross-origin requests against any Worker API endpoint by injecting a public route pattern into the query string, causing the CSRF middleware to skip token validation entirely. This allows actions such as sending admin invites, modifying global configuration, and managing users without a valid CSRF token. This vulnerability is fixed in 3.35.4.
Title Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
Weaknesses CWE-185
CWE-352
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:32:17.031Z

Reserved: 2026-05-20T23:12:43.030Z

Link: CVE-2026-48147

cve-icon Vulnrichment

Updated: 2026-05-27T18:31:34.518Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:27.063

Modified: 2026-05-27T20:16:40.843

Link: CVE-2026-48147

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses
  • CWE-185

    Incorrect Regular Expression

  • CWE-352

    Cross-Site Request Forgery (CSRF)