Skip to main content

Budibase CVE-2026-50136

| EUVDEUVD-2026-39912 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-06-22 https://github.com/Budibase/budibase GHSA-jj36-r9w3-3pfh
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
9.9 CRITICAL

Advisory and patch confirm no auth (PR:N); attacker writes arbitrary objects in third-party buckets (S:C, I:H), with limited confidentiality and storage-abuse availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 30, 2026 - 19:52 NVD
HIGH MEDIUM
CVSS changed
Jun 30, 2026 - 19:52 NVD
7.4 (HIGH) 5.3 (MEDIUM)
Source Code Evidence Fetched
Jun 22, 2026 - 23:30 vuln.today
Analysis Generated
Jun 22, 2026 - 23:30 vuln.today

DescriptionNVD

The application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values.

Details

The static route registers the signed upload URL endpoint with only recaptcha before the controller:

  • packages/server/src/api/routes/static.ts:44-48
ts
44:  .post(
45:    "/api/attachments/:datasourceId/url",
46:    recaptcha,
47:    controller.getSignedUploadURL
48:  )

The controller loads the datasource by datasourceId with enriched secret values:

  • packages/server/src/api/controllers/static/index.ts:590-598
ts
590:export const getSignedUploadURL = async function (
591:  ctx: Ctx<GetSignedUploadUrlRequest, GetSignedUploadUrlResponse>
592:) {
593:  // Ensure datasource is valid
594:  let datasource
595:  try {
596:    const { datasourceId } = ctx.params
597:    datasource = await sdk.datasources.get(datasourceId, { enriched: true })
598:    if (!datasource) {

The request body controls bucket and key, and the server signs a PUT URL using the stored datasource credentials:

  • packages/server/src/api/controllers/static/index.ts:609-629
ts
609:  if (datasource?.source === "S3") {
610:    const { bucket, key } = ctx.request.body || {}
611:    if (!bucket || !key) {
612:      ctx.throw(400, "bucket and key values are required")
613:    }
614:    try {
615:      let endpoint = datasource?.config?.endpoint
616:      if (endpoint && !utils.urlHasProtocol(endpoint)) {
617:        endpoint = `https://${endpoint}`
618:      }
619:      const s3 = new S3({
620:        region: awsRegion,
621:        endpoint: endpoint,
622:        credentials: {
623:          accessKeyId: datasource?.config?.accessKeyId as string,
624:          secretAccessKey: datasource?.config?.secretAccessKey as string,
625:        },
626:      })
627:      const params = { Bucket: bucket, Key: key }
628:      signedUrl = await getSignedUrl(s3, new PutObjectCommand(params))
629:      if (endpoint) {

The endpoint returns the signed URL and public URL to the caller:

  • packages/server/src/api/controllers/static/index.ts:630-639
ts
630:        publicUrl = `${endpoint}/${bucket}/${key}`
631:      } else {
632:        publicUrl = `https://${bucket}.s3.${awsRegion}.amazonaws.com/${key}`
633:      }
634:    } catch (error: any) {
635:      ctx.throw(400, error)
636:    }
637:  }
638:
639:  ctx.body = { signedUrl, publicUrl }

Because no authorization middleware is applied, the API trusts public input to choose where the stored S3 credentials will write.

PoC

Non-destructive validation approach:

  1. Create or identify a workspace with an S3 datasource.
  2. Obtain the production workspace ID and S3 datasource ID.
  3. Send an unauthenticated request with the workspace ID header and attacker-controlled bucket/key:
http
POST /api/attachments/<datasourceId>/url HTTP/1.1
x-budibase-app-id: app_<workspace-id>
content-type: application/json

{"bucket":"attacker-controlled-or-permitted-bucket","key":"poc/budibase.txt"}
  1. Observe that the response contains a signed PUT URL.
  2. Upload harmless content to the returned signedUrl and confirm the object is created using the datasource's stored S3 credentials.

Impact

This allows unauthenticated arbitrary object writes wherever the stored S3 datasource credentials have PutObject access. Depending on the datasource permissions, this can corrupt application data, overwrite public assets, place attacker-controlled objects in trusted buckets, consume storage, or abuse an organization's cloud credentials.

AnalysisAI

Unauthenticated arbitrary S3 object write in Budibase server (npm/@budibase/server before 3.39.2) lets any remote caller who learns a workspace ID and S3 datasource ID obtain attacker-chosen PutObject presigned URLs signed with the workspace's stored AWS credentials. The /api/attachments/:datasourceId/url route is gated only by reCAPTCHA - no authentication, builder role, or datasource permission check - so an unauthenticated attacker can write arbitrary objects to any bucket the stored credentials can reach. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed Budibase host
Delivery
Harvest workspace/app ID from public app URL
Exploit
Enumerate S3 datasource ID via /api/attachments/:id/url
Install
Solve reCAPTCHA and POST attacker-chosen bucket/key
C2
Receive presigned PutObject URL
Execute
PUT malicious object using stolen credentials
Impact
Defacement, asset poisoning, or cloud-cost abuse

Vulnerability AssessmentAI

Exploitation Requires (1) network reachability to the Budibase server's /api/attachments/:datasourceId/url endpoint, (2) knowledge of a valid workspace/app ID (passed via x-budibase-app-id header - not a secret, often discoverable from app URLs), (3) knowledge of an S3 datasource ID within that workspace (small ID space, brute-forceable), and (4) the targeted workspace must have an S3-source datasource configured with stored accessKeyId/secretAccessKey. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, 7.4) is internally inconsistent with the description: PR:L implies the attacker must hold some privilege, but both the advisory text and the patch (which adds authorized(BUILDER) and a 401 test) confirm the endpoint was reachable with no authentication - PR:N is the more accurate choice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an internet-reachable self-hosted Budibase instance, harvests a workspace (app) ID from any public-facing app URL, and enumerates the small S3 datasource ID space until /api/attachments/<datasourceId>/url returns a signedUrl. They then PUT a malicious HTML/JS payload to a public-asset bucket the organization trusts (defacement, watering-hole) or write large objects to inflate the victim's storage bill; the advisory's PoC walks through exactly this flow non-destructively.
Remediation Vendor-released patch: @budibase/server 3.39.2 - upgrade immediately, as the fix adds authorized(BUILDER) to the /api/attachments/:datasourceId/url route (see PR https://github.com/Budibase/budibase/pull/18774 and commit https://github.com/Budibase/budibase/commit/d9dbb7f6105373cc88ecacdbcab70c776f7dd6a1). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Budibase deployments by version and identify those using S3 datasources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy