Skip to main content

Budibase EUVDEUVD-2026-32589

| CVE-2026-48151 HIGH
Missing Authorization (CWE-862)
2026-05-27 security-advisories@github.com GHSA-qhv3-wjg8-6fx6
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 19:53 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This vulnerability is fixed in 3.39.0.

AnalysisAI

Missing authorization in Budibase's webhook schema-building endpoint allows unauthenticated remote attackers to alter the body schema of a known webhook and, in turn, mutate the output schema of its associated automation trigger in any instance prior to 3.39.0. The CVSS 7.5 score is driven entirely by an integrity impact (I:H) with no confidentiality or availability effect, reflecting that an attacker can tamper with automation logic but not directly read data or crash the service. There is no public exploit identified at time of analysis, the issue is not listed in CISA KEV, and no EPSS score was provided in the source data.

Share

EUVD-2026-32589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy