Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. The CSRF middleware in the Budibase Worker uses this matching system to decide whether to skip CSRF token validation. An unauthenticated attacker can forge state-changing cross-origin requests against any Worker API endpoint by injecting a public route pattern into the query string, causing the CSRF middleware to skip token validation entirely. This allows actions such as sending admin invites, modifying global configuration, and managing users without a valid CSRF token. This vulnerability is fixed in 3.35.4.
AnalysisAI
CSRF middleware bypass in Budibase Worker allows unauthenticated remote attackers to forge state-changing requests against any Worker API endpoint by injecting a public route pattern into the query string. Affected versions prior to 3.35.4 are exposed to privilege escalation actions including sending admin invites, modifying global configuration, and managing users - all without a valid CSRF token. User interaction is required (CVSS UI:R), limiting opportunistic mass exploitation, though proof-of-concept exploit code exists per SSVC assessment. No active exploitation has been confirmed by CISA KEV at time of analysis.
Technical ContextAI
The root cause is CWE-185 (Incorrect Regular Expression), specifically in the buildMatcherRegex() and matches() functions located at packages/backend-core/src/middleware/matchers.ts. Route patterns are compiled into unanchored regular expressions - meaning they can match anywhere within the input string rather than requiring a full-string or path-boundary match. These regexes are evaluated against ctx.request.url, which includes the full query string. The CSRF middleware in the Budibase Worker service relies on this matching logic to determine whether a request maps to a public (CSRF-exempt) route. Because the regex is unanchored and the query string is included in the matched input, an attacker can inject a string matching a public route pattern (e.g., /api/public/placeholder) as a query parameter, causing the middleware to incorrectly classify the request as exempt and skip CSRF token validation entirely. Affected product: budibase < 3.35.4 (EUVD-2026-32606).
RemediationAI
Upgrade to Budibase 3.35.4 or later, which resolves the vulnerability by anchoring the route-matching regular expressions so they cannot be satisfied via injected query string values. The vendor advisory is available at https://github.com/Budibase/budibase/security/advisories/GHSA-wxq7-x3qp-vcr8. If immediate upgrade is not feasible, a targeted compensating control is to place a reverse proxy or WAF in front of the Budibase Worker API that strips or rejects requests containing path-like patterns (e.g., segments matching /api/ or /public/) in query string parameters - note this may break legitimate deep-link or redirect functionality and requires careful testing. Restricting access to the Budibase Worker API to trusted internal networks or VPN reduces the attack surface further, since AV:N requires the attacker to reach the service directly or lure a victim on an accessible network. Neither workaround fully eliminates risk and upgrade remains the definitive fix.
Same weakness CWE-185 – Incorrect Regular Expression
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32606
GHSA-wxq7-x3qp-vcr8