CVE-2026-54351 - Vulnerability Details

Description

Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger() allows an attacker to overwrite the internal appId property by including it in the webhook POST body. When the automation is processed asynchronously (the default path for webhooks without a collect step), the worker executes the attacker-defined automation in the context of the victim's workspace, granting full read/write access to the victim's database. This vulnerability is fixed in 3.39.9.

Published: 2026-06-26

Score: 8.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Budibase, an open‑source low‑code platform, contains a mass‑assignment flaw in the externalTrigger() function that processes webhook POST requests. Because the public webhook trigger endpoint includes the entire HTTP request body in automation parameters, an attacker can supply an appId field in the payload. This overwrites the internal appId, causing the automation to run asynchronously in the victim workspace’s context. The outcome is that the attacker‑defined automation executes with full read and write privileges to the workspace’s database. The weakness is a classic mass assignment issue (CWE‑915) that enables remote code or database manipulation without authentication.

Affected Systems

Any instance of Budibase earlier than version 3.39.9 is vulnerable. The affected product is Budibase, specifically the webhook trigger endpoint that accepts externalTrigger() calls. The fix is included in release 3.39.9 and later.

Risk and Exploitability

With a CVSS of 8.2 the vulnerability is classified as high severity. The EPSS score is not available, but the absence of a KEV listing indicates no publicly known exploitation yet. The likely attack vector is a public HTTP POST to the webhook trigger endpoint, which an attacker can reach if the endpoint is exposed over the internet. If the endpoint is reachable and an attacker can craft the payload, the exploit is straightforward and requires no additional credentials. Consequently, organizations running Budibase sites that expose this endpoint must prioritize remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Budibase

budibase

affected

Version	Status	Constraints
`< 3.39.9`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Budibase to version 3.39.9 or later to receive the patch that removes the mass‑assignment flaw.
If an upgrade cannot be performed immediately, block external access to the webhook trigger endpoint using firewall rules or application‑layer restrictions, limiting traffic to trusted IP ranges.
If the platform supports it, enable authentication on the webhook endpoint or disable external triggers that do not require authentication.
Regularly audit webhook logs for POST requests containing an appId field and monitor for unauthorized automation changes.

Generated by OpenCVE AI on June 26, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-rgvg-3wpc-h44p	Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p

History

Fri, 26 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger() allows an attacker to overwrite the internal appId property by including it in the webhook POST body. When the automation is processed asynchronously (the default path for webhooks without a collect step), the worker executes the attacker-defined automation in the context of the victim's workspace, granting full read/write access to the victim's database. This vulnerability is fixed in 3.39.9.
Title		Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override
Weaknesses		CWE-915
References		https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T20:45:35.017Z

Updated: 2026-06-26T20:45:35.017Z

Reserved: 2026-06-12T19:23:22.317Z

Link: CVE-2026-54351

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses

CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object