Skip to main content

Budibase CVE-2026-48147

| EUVDEUVD-2026-32606 MEDIUM
Incorrect Regular Expression (CWE-185)
2026-05-27 security-advisories@github.com GHSA-wxq7-x3qp-vcr8
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:06 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. The CSRF middleware in the Budibase Worker uses this matching system to decide whether to skip CSRF token validation. An unauthenticated attacker can forge state-changing cross-origin requests against any Worker API endpoint by injecting a public route pattern into the query string, causing the CSRF middleware to skip token validation entirely. This allows actions such as sending admin invites, modifying global configuration, and managing users without a valid CSRF token. This vulnerability is fixed in 3.35.4.

AnalysisAI

CSRF middleware bypass in Budibase Worker allows unauthenticated remote attackers to forge state-changing requests against any Worker API endpoint by injecting a public route pattern into the query string. Affected versions prior to 3.35.4 are exposed to privilege escalation actions including sending admin invites, modifying global configuration, and managing users - all without a valid CSRF token. User interaction is required (CVSS UI:R), limiting opportunistic mass exploitation, though proof-of-concept exploit code exists per SSVC assessment. No active exploitation has been confirmed by CISA KEV at time of analysis.

Technical ContextAI

The root cause is CWE-185 (Incorrect Regular Expression), specifically in the buildMatcherRegex() and matches() functions located at packages/backend-core/src/middleware/matchers.ts. Route patterns are compiled into unanchored regular expressions - meaning they can match anywhere within the input string rather than requiring a full-string or path-boundary match. These regexes are evaluated against ctx.request.url, which includes the full query string. The CSRF middleware in the Budibase Worker service relies on this matching logic to determine whether a request maps to a public (CSRF-exempt) route. Because the regex is unanchored and the query string is included in the matched input, an attacker can inject a string matching a public route pattern (e.g., /api/public/placeholder) as a query parameter, causing the middleware to incorrectly classify the request as exempt and skip CSRF token validation entirely. Affected product: budibase < 3.35.4 (EUVD-2026-32606).

RemediationAI

Upgrade to Budibase 3.35.4 or later, which resolves the vulnerability by anchoring the route-matching regular expressions so they cannot be satisfied via injected query string values. The vendor advisory is available at https://github.com/Budibase/budibase/security/advisories/GHSA-wxq7-x3qp-vcr8. If immediate upgrade is not feasible, a targeted compensating control is to place a reverse proxy or WAF in front of the Budibase Worker API that strips or rejects requests containing path-like patterns (e.g., segments matching /api/ or /public/) in query string parameters - note this may break legitimate deep-link or redirect functionality and requires careful testing. Restricting access to the Budibase Worker API to trusted internal networks or VPN reduces the attack surface further, since AV:N requires the attacker to reach the service directly or lure a victim on an accessible network. Neither workaround fully eliminates risk and upgrade remains the definitive fix.

Share

CVE-2026-48147 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy