Description
Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values. This vulnerability is fixed in 3.39.3.
Published: 2026-06-26
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Budibase, an open‑source low‑code platform, has a flaw that allows anyone to obtain a signed S3 PutObject URL without any authentication. The vulnerable endpoint accepts a workspace ID and a datasource ID, both of which are public, and generates the presigned URL using credentials stored in the workspace. An attacker can specify arbitrary bucket and key values, enabling the upload of any file to any S3 bucket the credentials grant access to, thereby compromising data integrity and potentially creating a persistence layer.

Affected Systems

This issue affects all Budibase installations running a version older than 3.39.3. The vulnerability exists on the application server endpoint that does not enforce authentication, table permissions, datasource permissions, or builder access. If an attacker knows the workspace and datasource identifiers, they can target any deployment exposed to the internet.

Risk and Exploitability

The CVSS score of 7.4 indicates a medium‑to‑high severity. While the EPSS score is not available, the lack of authentication and the availability of the public endpoint make exploitation straightforward for those who identify the target workspace and datasource. The vulnerability is not yet listed in the CISA KEV catalog, but any exposed deployment should consider the risk as significant and act promptly.

Generated by OpenCVE AI on June 26, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.39.3 or later, which removes the unauthenticated endpoint.
  • Verify that the endpoint no longer accepts requests from the internet.
  • Revoke or rotate any S3 credentials stored in the workspace to mitigate potential misuse if the leak occurred.

Generated by OpenCVE AI on June 26, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jj36-r9w3-3pfh Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials
History

Fri, 26 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values. This vulnerability is fixed in 3.39.3.
Title Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T20:36:54.016Z

Reserved: 2026-06-03T18:49:32.275Z

Link: CVE-2026-50136

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:30:04Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function