CVE-2026-50136 in budibase
Summary
by MITRE • 06/27/2026
Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values. This vulnerability is fixed in 3.39.3.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/27/2026
The vulnerability identified in Budibase versions prior to 3.39.3 represents a critical authorization bypass flaw that exposes sensitive data handling capabilities through an improperly protected API endpoint. This issue stems from the application server's design where a specific route generates S3 PutObject presigned URLs without adequate authentication or access control mechanisms. The endpoint's exposure occurs through the use of workspace ID and S3 datasource ID as parameters, which allows any external party to request signed upload URLs for arbitrary S3 bucket locations and object keys. The vulnerability specifically affects the platform's security model by eliminating fundamental access controls that should normally govern data operations within the system.
The technical implementation of this flaw lies in the endpoint's reliance solely on reCAPTCHA middleware for protection, which serves as a client-side anti-bot mechanism rather than a proper authentication or authorization control. This design choice creates a dangerous pathway where any attacker with knowledge of valid workspace identifiers and datasource IDs can bypass all standard access controls including table permissions, datasource permissions, and builder access requirements. The endpoint operates without validating the requester's identity or privileges, effectively allowing unauthorized data upload operations to S3 buckets that may contain sensitive information. This represents a classic case of insufficient authorization checks where the system assumes legitimate users have already passed reCAPTCHA validation, which is inadequate for protecting data resources.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential data exfiltration and malicious file uploads to attacker-controlled S3 buckets. Attackers can leverage this flaw to upload malicious files, potentially leading to code execution or data compromise within the affected systems. The vulnerability's public nature means that any external party with knowledge of valid workspace IDs could exploit it without requiring legitimate credentials or access rights. This creates a significant risk for organizations using Budibase as their low-code platform, particularly those handling sensitive data through S3 integrations, as the flaw allows direct manipulation of cloud storage resources without proper authorization verification.
The security implications align with common weakness patterns identified in CWE-284 which addresses improper access control, and CWE-306 which covers missing authentication. From an attack framework perspective, this vulnerability maps to techniques described in MITRE ATT&CK's privilege escalation and persistence phases where adversaries can gain unauthorized access to cloud storage resources. The fix implemented in version 3.39.3 likely involves strengthening authorization checks by requiring proper authentication tokens or session validation before allowing the generation of presigned URLs. Organizations should implement comprehensive monitoring for unusual S3 activity patterns and ensure all API endpoints properly validate user credentials and permissions. Additional mitigations include limiting the exposure of workspace identifiers through proper input validation, implementing rate limiting on sensitive endpoints, and ensuring that any credential management within low-code platforms properly enforces access controls to prevent unauthorized data operations across cloud storage integrations.