Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover - the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.
AnalysisAI
Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.
Technical ContextAI
The vulnerability resides in Budibase's cookie configuration at packages/backend-core/src/utils/utils.ts where the budibase:auth cookie is set without httpOnly, secure, or sameSite flags. The httpOnly flag is a critical browser security control defined in RFC 6265 that prevents JavaScript from accessing cookies through document.cookie API. Without it, cookies are exposed to any JavaScript execution context including XSS payloads, browser extensions, and injected scripts. The JWT session token stored in this cookie is the primary authentication credential for Budibase sessions. This maps to CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag), a known weakness in web application security. The affected product is cpe:2.3:a:budibase:budibase specifically the npm package @budibase/backend-core prior to version 3.35.10.
RemediationAI
Upgrade to Budibase version 3.35.10 or later where the fix has been implemented in pull request #18571 titled 'Set budibase:auth cookie with secure flag'. The patch sets httpOnly: true, secure: true, and sameSite: 'lax' on the authentication cookie. Upgrade path: npm update @budibase/backend-core to 3.35.10 or upgrade the full Budibase platform to 3.35.10. If immediate upgrade is not possible, implement compensating controls: deploy strict Content Security Policy (CSP) with 'script-src self' to block inline JavaScript and external script injection (trade-off: may break legitimate inline scripts requiring CSP nonce implementation), enable HTTPS-only access and configure HSTS headers to prevent downgrade attacks (trade-off: requires valid TLS certificates), implement Web Application Firewall (WAF) rules to detect and block XSS payloads targeting cookie exfiltration patterns (trade-off: requires tuning to avoid false positives and can be bypassed with encoding). Review and remediate any XSS vulnerabilities in the Budibase instance especially in entity name fields per GHSA-gp5x-2v54-v2q5. Vendor advisory: https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r.
Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal
Authorization bypass in Budibase 3.31.4 and earlier. The authorized() middleware can be bypassed, enabling injection att
Budibase is a low code platform for creating internal tools, workflows, and admin panels. [CVSS 8.8 HIGH]
Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20. Rated med
Path traversal in Budibase low-code platform 3.31.5 and earlier allows attackers to read arbitrary files through the app
Server-Side Request Forgery (SSRF) in Budibase's REST datasource connector (versions prior to 3.33.4) allows authenticat
Authentication bypass in Budibase low-code platform (versions prior to 3.35.4) allows remote unauthenticated attackers t
Remote code execution in Budibase versions prior to 3.33.4 allows unauthenticated attackers to execute arbitrary Bash co
Arbitrary file upload in Budibase 3.24.0 and earlier allows authenticated attackers to bypass UI-level file extension re
Budibase suffers from missing server-side role validation in user management APIs, allowing Creator-level users to escal
Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute
Stored cross-site scripting (XSS) in Budibase's Builder Command Palette (versions prior to 3.32.5) enables authenticated
Same weakness CWE-1004 – Sensitive Cookie Without 'HttpOnly' Flag
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28429
GHSA-4f9j-vr4p-642r