CVE-2026-48147 Overview
CVE-2026-48147 is a Cross-Site Request Forgery (CSRF) protection bypass in Budibase, an open-source low-code platform. The flaw resides in the buildMatcherRegex() and matches() functions inside packages/backend-core/src/middleware/matchers.ts. Route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. The Budibase Worker's CSRF middleware uses this matching logic to decide whether to skip token validation. An unauthenticated attacker can inject a public route pattern into the query string to disable CSRF checks on any Worker API endpoint. The issue is fixed in version 3.35.4.
Critical Impact
Attackers can forge cross-origin requests that send admin invites, modify global configuration, and manage users without a valid CSRF token.
Affected Products
- Budibase versions prior to 3.35.4
- Budibase Worker CSRF middleware
- Budibase backend-core package (matchers.ts)
Discovery Timeline
- 2026-05-27 - CVE-2026-48147 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-48147
Vulnerability Analysis
The vulnerability is an Incorrect Regular Expression issue [CWE-185] in Budibase's middleware routing layer. The buildMatcherRegex() helper compiles public route patterns into regular expressions without anchoring them with ^ and $. The compiled patterns are then evaluated against ctx.request.url, a string that contains both the path and the query string. Because the expressions are unanchored, any substring match anywhere in the URL satisfies the matcher.
The Budibase Worker's CSRF middleware consults this matcher to determine which routes are exempt from token validation. When the matcher returns true, the middleware skips the CSRF check entirely. An attacker who appends a known public route pattern to the query string of a sensitive endpoint forces the matcher to return true for that request. The CSRF protection is then bypassed for protected actions including sending administrator invites, modifying global configuration, and managing users.
Root Cause
The root cause is two combined defects. First, route patterns are compiled into unanchored regular expressions, allowing matches against arbitrary substrings. Second, matching is performed against the full request URL including the query string, which is attacker-controlled. The combination lets attacker-supplied query parameters satisfy server-side allowlist checks.
Attack Vector
An unauthenticated attacker hosts a malicious page that triggers a cross-origin request to a Budibase Worker endpoint. The request URL appends a query string containing a substring matching a public route pattern, for example ?path=/api/public/health. When a victim with an active Worker session visits the attacker's page, the browser submits the forged request with session cookies. The CSRF middleware matches the injected substring, skips token validation, and the server executes the privileged action.
No verified exploit code is published. See the GitHub Security Advisory GHSA-wxq7-x3qp-vcr8 for technical details.
Detection Methods for CVE-2026-48147
Indicators of Compromise
- Worker API requests containing public route substrings inside query parameters on state-changing endpoints such as /api/global/users, /api/global/configs, or invite endpoints.
- Cross-origin POST, PUT, or DELETE requests to Worker endpoints lacking a valid x-csrf-token header.
- Unexpected administrator invite emails or new user accounts created without corresponding administrator session activity.
Detection Strategies
- Inspect Worker access logs for requests whose query strings contain path-like values referencing known public routes.
- Correlate state-changing API calls with the presence and validity of the CSRF token header to flag bypass attempts.
- Alert on cross-origin Referer or Origin headers on Worker administrative endpoints.
Monitoring Recommendations
- Centralize Budibase Worker logs and review configuration and user-management endpoints daily.
- Monitor admin invite, role assignment, and global config audit events for anomalous frequency or source.
- Track the deployed Budibase version across environments to confirm all instances are at 3.35.4 or later.
How to Mitigate CVE-2026-48147
Immediate Actions Required
- Upgrade all Budibase Worker instances to version 3.35.4 or later without delay.
- Rotate administrator credentials and invalidate active sessions after patching to evict any attacker-established access.
- Audit user, role, and global configuration changes since the vulnerable version was deployed.
Patch Information
Budibase fixed the issue in version 3.35.4. The patch anchors the regular expressions produced by buildMatcherRegex() and constrains matching to the request path rather than the full URL with query string. Review the GitHub Security Advisory GHSA-wxq7-x3qp-vcr8 for release details.
Workarounds
- Place Budibase Worker behind a reverse proxy that strips or rejects query strings containing path-like substrings on administrative endpoints.
- Enforce strict SameSite=Strict cookies on Worker sessions to limit cross-origin cookie attachment.
- Restrict Worker administrative endpoints to trusted networks until the patched version is deployed.
# Configuration example - upgrade Budibase to the patched release
npm install -g @budibase/cli
budi --version
budi update --version 3.35.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
