CVE-2026-41428 Overview
CVE-2026-41428 is an authentication bypass vulnerability in Budibase, an open-source low-code platform. Versions prior to 3.35.4 use unanchored regular expressions in the authenticated middleware to match public (no-auth) endpoint patterns against ctx.request.url. Because Koa includes the query string in ctx.request.url, attackers can reach any protected endpoint by appending a public path as a query parameter. The flaw maps to [CWE-287] Improper Authentication and carries a CVSS 3.1 score of 9.1. Budibase resolved the issue in version 3.35.4.
Critical Impact
Unauthenticated remote attackers can invoke protected API endpoints, including administrative routes such as /api/global/users/search, leading to confidentiality and availability compromise across Budibase deployments.
Affected Products
- Budibase versions prior to 3.35.4
- Self-hosted Budibase deployments exposing the API to untrusted networks
- Budibase instances running behind reverse proxies that forward unfiltered query strings
Discovery Timeline
- 2026-04-24 - CVE-2026-41428 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-41428
Vulnerability Analysis
The vulnerability resides in the Budibase authentication middleware, which determines whether an incoming request targets a public route or requires a valid session. The middleware compares ctx.request.url against a list of regular expressions describing no-auth endpoints. The regular expressions are not anchored with ^ or $, so they match any occurrence of the pattern anywhere in the URL string.
In the Koa framework, ctx.request.url includes both the path and the query string. An attacker can therefore submit a request to a protected endpoint and embed a public path inside an arbitrary query parameter. The middleware sees the public pattern, classifies the request as unauthenticated-friendly, and forwards it to the route handler without verifying credentials. The handler then executes against the actual path, exposing functionality that should require an authenticated session.
Root Cause
The root cause is incorrect input scoping in regular expression matching. Public endpoint patterns such as /api/system/status/ are evaluated against the full URL, including user-controlled query string content. The middleware never separates path from query before matching, and the patterns lack start and end anchors.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker sends a single HTTP request to a protected endpoint and appends a query parameter whose value contains a known public path. For example, POST /api/global/users/search?x=/api/system/status bypasses authentication and reaches the user search handler.
The vulnerability allows attackers to invoke any protected API route, including user enumeration, configuration retrieval, and administrative operations exposed by the Budibase server.
Detection Methods for CVE-2026-41428
Indicators of Compromise
- HTTP requests to protected Budibase API endpoints that contain known public paths such as /api/system/status, /api/health, or /builder embedded in query string parameters.
- Access log entries showing successful responses to /api/global/* or /api/admin/* routes without preceding authentication requests.
- Unexpected user enumeration or configuration retrieval activity originating from a single source IP.
Detection Strategies
- Inspect Budibase access logs for request URLs where the query string contains substrings matching public endpoint patterns.
- Deploy web application firewall (WAF) rules that flag requests whose query parameters include path-like values referencing /api/ routes.
- Correlate authentication events with API access events to identify protected endpoints invoked without prior login.
Monitoring Recommendations
- Forward Budibase application logs and reverse proxy logs to a centralized SIEM for query string analysis.
- Alert on anomalous request rates to /api/global/users/search and other sensitive endpoints from unauthenticated sources.
- Track changes to user accounts, roles, and application configurations and correlate with the source request authentication state.
How to Mitigate CVE-2026-41428
Immediate Actions Required
- Upgrade all Budibase instances to version 3.35.4 or later without delay.
- Restrict network exposure of Budibase administrative interfaces to trusted networks or VPNs until patching is complete.
- Audit recent access logs for query strings containing public endpoint paths and review any administrative actions performed during the exposure window.
Patch Information
Budibase released a fix in version 3.35.4 that anchors the public endpoint regular expressions and evaluates them against the request path only, excluding the query string. Refer to the Budibase GitHub Security Advisory GHSA-8783-3wgf-jggf for the official advisory and patch details.
Workarounds
- Place a reverse proxy in front of Budibase that strips or rejects query strings containing /api/ substrings on protected routes.
- Apply WAF rules that block requests where query parameter values match known Budibase public endpoint patterns.
- Limit network access to the Budibase API to authenticated VPN users until the upgrade is deployed.
# Example NGINX rule to block query strings containing public Budibase paths
if ($args ~* "/api/(system/status|health|public)") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
