anonhaven
Ad

CVE-2026-31816

CRITICAL CVSS 3.1: 9.1 EPSS 8.42%
Updated Mar 13, 2026
Budibase
Parameter Value
CVSS 9.1 (CRITICAL)
Affected Versions before 3.31.4
Type CWE-74 (Injection)
Vendor Budibase
Public PoC No

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters.

When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-74 Injection

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Budibase Budibase
cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*
 <= 3.31.4

References 1

https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-25737

Budibase

9.0

CVE-2026-25045

Budibase

8.7

CVE-2026-27702

Budibase

9.9