What is the CVSS score of CVE-2026-48151?

CVE-2026-48151 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Budibase are affected by CVE-2026-48151?

Budibase instances running versions before 3.39.0 are vulnerable to unauthorized modification of workflow automation logic by external actors requiring no credentials.. A patch is available.

How to fix or mitigate CVE-2026-48151?

Within 24 hours: inventory all Budibase deployments and identify instances running versions prior to 3.39.0. Within 7 days: upgrade all affected instances to Budibase 3.39.0 or later. Within 30 days: audit webhook and automation configurations to detect and remediate any unauthorized schema modifications that may have occurred during the exposure window.

Budibase CVE-2026-48151

EUVD-2026-32589 HIGH

Missing Authorization (CWE-862)

2026-05-27 security-advisories@github.com

Authentication Bypass

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 19:53 vuln.today

Patch available

May 27, 2026 - 19:46 EUVD

DescriptionNVD

Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This vulnerability is fixed in 3.39.0.

AnalysisAI

Missing authorization in Budibase's webhook schema-building endpoint allows unauthenticated remote attackers to alter the body schema of a known webhook and, in turn, mutate the output schema of its associated automation trigger in any instance prior to 3.39.0. The CVSS 7.5 score is driven entirely by an integrity impact (I:H) with no confidentiality or availability effect, reflecting that an attacker can tamper with automation logic but not directly read data or crash the service. …

RemediationAI

Within 24 hours: inventory all Budibase deployments and identify instances running versions prior to 3.39.0. Within 7 days: upgrade all affected instances to Budibase 3.39.0 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-48151 vulnerability details – vuln.today

Back

Budibase CVE-2026-48151

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code