Skip to main content

Budibase CVE-2026-42239

| EUVDEUVD-2026-28429 HIGH
Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004)
2026-05-07 GitHub_M GHSA-4f9j-vr4p-642r
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 20:00 vuln.today
Analysis Generated
May 07, 2026 - 20:00 vuln.today
CVE Published
May 07, 2026 - 18:49 nvd
HIGH 8.1

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover - the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.

AnalysisAI

Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.

Technical ContextAI

The vulnerability resides in Budibase's cookie configuration at packages/backend-core/src/utils/utils.ts where the budibase:auth cookie is set without httpOnly, secure, or sameSite flags. The httpOnly flag is a critical browser security control defined in RFC 6265 that prevents JavaScript from accessing cookies through document.cookie API. Without it, cookies are exposed to any JavaScript execution context including XSS payloads, browser extensions, and injected scripts. The JWT session token stored in this cookie is the primary authentication credential for Budibase sessions. This maps to CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag), a known weakness in web application security. The affected product is cpe:2.3:a:budibase:budibase specifically the npm package @budibase/backend-core prior to version 3.35.10.

RemediationAI

Upgrade to Budibase version 3.35.10 or later where the fix has been implemented in pull request #18571 titled 'Set budibase:auth cookie with secure flag'. The patch sets httpOnly: true, secure: true, and sameSite: 'lax' on the authentication cookie. Upgrade path: npm update @budibase/backend-core to 3.35.10 or upgrade the full Budibase platform to 3.35.10. If immediate upgrade is not possible, implement compensating controls: deploy strict Content Security Policy (CSP) with 'script-src self' to block inline JavaScript and external script injection (trade-off: may break legitimate inline scripts requiring CSP nonce implementation), enable HTTPS-only access and configure HSTS headers to prevent downgrade attacks (trade-off: requires valid TLS certificates), implement Web Application Firewall (WAF) rules to detect and block XSS payloads targeting cookie exfiltration patterns (trade-off: requires tuning to avoid false positives and can be bypassed with encoding). Review and remediate any XSS vulnerabilities in the Budibase instance especially in entity name fields per GHSA-gp5x-2v54-v2q5. Vendor advisory: https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r.

CVE-2026-27702 CRITICAL POC
9.9 Feb 25

Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal

CVE-2026-31816 CRITICAL POC
9.1 Mar 09

Authorization bypass in Budibase 3.31.4 and earlier. The authorized() middleware can be bypassed, enabling injection att

CVE-2026-25040 HIGH POC
8.8 Jan 29

Budibase is a low code platform for creating internal tools, workflows, and admin panels. [CVSS 8.8 HIGH]

CVE-2022-3225 MEDIUM POC
5.7 Sep 16

Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20. Rated med

CVE-2026-30240 CRITICAL
9.6 Mar 09

Path traversal in Budibase low-code platform 3.31.5 and earlier allows attackers to read arbitrary files through the app

CVE-2026-31818 CRITICAL
9.6 Apr 03

Server-Side Request Forgery (SSRF) in Budibase's REST datasource connector (versions prior to 3.33.4) allows authenticat

CVE-2026-41428 CRITICAL
9.1 Apr 24

Authentication bypass in Budibase low-code platform (versions prior to 3.35.4) allows remote unauthenticated attackers t

CVE-2026-35216 CRITICAL
9.0 Apr 03

Remote code execution in Budibase versions prior to 3.33.4 allows unauthenticated attackers to execute arbitrary Bash co

CVE-2026-25737 HIGH
8.9 Mar 09

Arbitrary file upload in Budibase 3.24.0 and earlier allows authenticated attackers to bypass UI-level file extension re

CVE-2026-25045 HIGH
8.8 Mar 09

Budibase suffers from missing server-side role validation in user management APIs, allowing Creator-level users to escal

CVE-2026-25044 HIGH
8.7 Apr 03

Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute

CVE-2026-35218 HIGH
8.7 Apr 03

Stored cross-site scripting (XSS) in Budibase's Builder Command Palette (versions prior to 3.32.5) enables authenticated

Share

CVE-2026-42239 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy