Description
Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can call this endpoint with no auth and obtain a 15-minute pre-signed PUT URL minted on the victim's IAM identity. The endpoint also returns the publicUrl so the attacker knows exactly where their PUT lands. Because bucket is attacker-controlled, the attacker can write to any bucket those IAM credentials can write to, not only the bucket the datasource was configured for. The Budibase server route POST /api/attachments/:datasourceId/url (packages/server/src/api/routes/static.ts) is registered with only the recaptcha middleware. There is no authorized(...) middleware in the chain. The controller (packages/server/src/api/controllers/static/index.ts::getSignedUploadURL) looks the requested datasource up, instantiates an AWS S3 client with the datasource's stored accessKeyId / secretAccessKey, and returns an AWS Signature V4 pre-signed PutObjectCommand URL for the caller-supplied bucket and key. The bucket is not pinned to the datasource's configured bucket. The workspace context required by sdk.datasources.get is sourced by getWorkspaceIdFromCtx (packages/backend-core/src/utils/utils.ts) from any of: the x-budibase-app-id header, the JSON body appId, a path segment that begins with the workspace prefix, or ?appId=. auth.buildAuthMiddleware([], { publicAllowed: true }) runs before any of this and explicitly allows anonymous requests. The currentWorkspace middleware's "deny access to dev preview" branch only triggers under isBrowser(ctx) && !isApiKey(ctx); isBrowser checks the parsed User-Agent for a recognised browser, so any non-browser client (curl, the supplied PoC, any tool not setting a browser UA) is neither and reaches dev workspaces too. This vulnerability is fixed in 3.39.0.
Published: 2026-06-26
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Budibase server exposes a POST /api/attachments/:datasourceId/url endpoint that accepts calls without authentication. The controller builds an AWS S3 client with credentials stored in the datasource and returns a pre‑signed PutObjectCommand URL that the caller can use to write to any S3 bucket the credentials permit for 15 minutes. The caller also receives the publicUrl of the bucket, allowing them to target arbitrary buckets, not only the one intended for the datasource. This missing authorization (CWE‑862) allows an attacker to modify or exfiltrate data in S3 buckets without any prior access, potentially violating confidentiality, integrity, and availability of the data stored there.

Affected Systems

Budibase platform versions prior to 3.39.0 are vulnerable when one or more S3 datasource credentials are configured. Any deployed instance that has an S3 datasource configured with IAM credentials is affected, regardless of the workspace’s visibility or active status. The vulnerability is fixed in Budibase 3.39.0 and later.

Risk and Exploitability

The CVSS score of 8.2 reflects a high impact due to unauthenticated access and potential data compromise. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred: an attacker who can enumerate or knows a workspace ID (app_…) and a datasource ID (ds_…) can issue an unauthenticated request to the endpoint and obtain a pre‑signed PUT URL. Once the URL is received, the attacker can write to any bucket that the credentials allow, with a 15‑minute validity window. The required knowledge of IDs may limit exploitation to insiders or those who can discover them through enumeration, but once obtained the impact is severe.

Generated by OpenCVE AI on June 26, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Budibase 3.39.0 or later
  • If an immediate upgrade is not possible, block access to the POST /api/attachments/:datasourceId/url endpoint or require authentication via a firewall or API gateway
  • Rotate IAM credentials for all S3 datasource connections and restrict permissions to only the intended bucket

Generated by OpenCVE AI on June 26, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-35c4-rvc8-frhm Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials
History

Fri, 26 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can call this endpoint with no auth and obtain a 15-minute pre-signed PUT URL minted on the victim's IAM identity. The endpoint also returns the publicUrl so the attacker knows exactly where their PUT lands. Because bucket is attacker-controlled, the attacker can write to any bucket those IAM credentials can write to, not only the bucket the datasource was configured for. The Budibase server route POST /api/attachments/:datasourceId/url (packages/server/src/api/routes/static.ts) is registered with only the recaptcha middleware. There is no authorized(...) middleware in the chain. The controller (packages/server/src/api/controllers/static/index.ts::getSignedUploadURL) looks the requested datasource up, instantiates an AWS S3 client with the datasource's stored accessKeyId / secretAccessKey, and returns an AWS Signature V4 pre-signed PutObjectCommand URL for the caller-supplied bucket and key. The bucket is not pinned to the datasource's configured bucket. The workspace context required by sdk.datasources.get is sourced by getWorkspaceIdFromCtx (packages/backend-core/src/utils/utils.ts) from any of: the x-budibase-app-id header, the JSON body appId, a path segment that begins with the workspace prefix, or ?appId=. auth.buildAuthMiddleware([], { publicAllowed: true }) runs before any of this and explicitly allows anonymous requests. The currentWorkspace middleware's "deny access to dev preview" branch only triggers under isBrowser(ctx) && !isApiKey(ctx); isBrowser checks the parsed User-Agent for a recognised browser, so any non-browser client (curl, the supplied PoC, any tool not setting a browser UA) is neither and reaches dev workspaces too. This vulnerability is fixed in 3.39.0.
Title Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T20:41:03.443Z

Reserved: 2026-06-03T18:49:32.275Z

Link: CVE-2026-50137

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:30:04Z

Weaknesses