CVE-2026-50132 - Vulnerability Details

Description

Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (Slack/Discord/MS Teams) to an authenticated Budibase user account, with no consent UI and no CSRF protection. The session token in the URL is created by the attacker (from their own /link slash command) and embeds the attacker's externalUserId. When an authenticated Budibase victim visits the URL, their account is silently and permanently linked to the attacker's Slack/Discord identity. The server responds with "Authentication succeeded." — no indication of what was linked. This vulnerability is fixed in 3.39.0.

Published: 2026-06-26

Score: 7.3 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A public endpoint in Budibase allows an attacker to permanently link an external chat identity, such as Slack, Discord or Microsoft Teams, to an authenticated Budibase user account without requiring user consent or CSRF protection. The operation requires no authentication on the server side, and the response confirms success without indicating that the link was created. This behavior gives the attacker the ability to impersonate the victim and use the linked chat identity to perform actions on the victim’s behalf.

Affected Systems

Budibase, an open‑source low‑code platform, is affected on all releases prior to 3.39.0. The vulnerability exists in the GET /api/chat-links/:instance/:token/handoff endpoint, which is available to unauthenticated users. Upgrading to version 3.39.0 or later resolves the issue.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.3, indicating high severity. No EPSS score is available, and the flaw is not listed in CISA’s KEV catalog. Attackers can exploit it by crafting a URL containing a session token that includes an attacker‑controlled externalUserId. If an authenticated user visits the URL, the attacker successfully links the user’s account to their chat identity, enabling account impersonation and potential further abuse. The lack of authentication, consent, and CSRF protection makes the attack vector straightforward and the exploitation probability high for any user who clicks a malicious link.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Budibase

budibase

affected

Version	Status	Constraints
`< 3.39.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Budibase to version 3.39.0 or later to fix the endpoint
Temporarily disable the /api/chat-links/:instance/:token/handoff endpoint if an upgrade cannot be performed immediately
Add a consent UI and CSRF protection to any future chat‑link binding operations to prevent unauthorized binding

Generated by OpenCVE AI on June 26, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-v7j5-vc4m-723w	Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Budibase/budibase/security/advisories/GHSA-v7j5-vc4m-723w

History

Fri, 26 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (Slack/Discord/MS Teams) to an authenticated Budibase user account, with no consent UI and no CSRF protection. The session token in the URL is created by the attacker (from their own /link slash command) and embeds the attacker's externalUserId. When an authenticated Budibase victim visits the URL, their account is silently and permanently linked to the attacker's Slack/Discord identity. The server responds with "Authentication succeeded." — no indication of what was linked. This vulnerability is fixed in 3.39.0.
Title		Budibase: Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation in Budibase
Weaknesses		CWE-284 CWE-352
References		https://github.com/Budibase/budibase/security/advisories/GHSA-v7j5-vc4m-723w
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T20:34:30.304Z

Updated: 2026-06-26T20:34:30.304Z

Reserved: 2026-06-03T18:49:32.275Z

Link: CVE-2026-50132

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T23:00:09Z

Weaknesses

CWE-284
Improper Access Control
CWE-352
Cross-Site Request Forgery (CSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object