CVE-2026-48151 Overview
CVE-2026-48151 is a missing authorization vulnerability [CWE-862] in Budibase, an open-source low-code application platform. The flaw affects the webhook schema-building endpoint registered under builderRoutes. The generic authorization middleware skips authorization checks for all paths matching /api/webhooks/schema, leaving the endpoint exposed to unauthenticated requests. An unauthenticated attacker can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. The vulnerability is fixed in Budibase version 3.39.0.
Critical Impact
Unauthenticated remote attackers can tamper with webhook and automation trigger schemas, compromising the integrity of automated workflows in affected Budibase deployments.
Affected Products
- Budibase open-source low-code platform versions prior to 3.39.0
- Self-hosted Budibase deployments exposing the builder API
- Budibase instances with /api/webhooks/schema reachable over the network
Discovery Timeline
- 2026-05-27 - CVE-2026-48151 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-48151
Vulnerability Analysis
Budibase exposes a builder-facing API used to construct and configure automations, including webhook triggers. The webhook schema-building endpoint is registered under builderRoutes, which would normally require an authenticated builder session. The generic authorization middleware explicitly skips authorization for any path matching /api/webhooks/schema, creating an unauthenticated path into builder functionality.
An attacker who knows or can enumerate a webhook identifier can call the endpoint and modify its body schema. Because webhook schemas drive the output schema of the corresponding automation trigger, this mutation propagates into automation logic. The result is an integrity-impacting attack against tenant automations without requiring credentials or user interaction.
Root Cause
The root cause is a missing authorization control [CWE-862]. The middleware responsible for enforcing builder authentication contains an explicit exclusion for /api/webhooks/schema, but the endpoint behind that path performs privileged schema mutation. The exclusion was likely intended for a different, lower-privilege handler, leaving an authorization gap.
Attack Vector
The vulnerability is exploitable over the network with low complexity and no privileges or user interaction. An attacker sends a crafted HTTP request to the /api/webhooks/schema endpoint of a vulnerable Budibase instance, supplying a known webhook identifier and a modified body schema. The server accepts the request without authentication and persists the schema change, altering downstream automation trigger output. Refer to the GitHub Security Advisory GHSA-qhv3-wjg8-6fx6 for additional technical context.
Detection Methods for CVE-2026-48151
Indicators of Compromise
- HTTP requests to /api/webhooks/schema originating from unauthenticated sessions or unexpected source IP addresses.
- Unexpected modifications to webhook body schemas or automation trigger output schemas in Budibase audit logs.
- Automation executions producing malformed or unexpected payload structures following schema changes.
Detection Strategies
- Inspect application and reverse proxy logs for POST or PUT requests targeting /api/webhooks/schema without a valid builder session cookie or token.
- Correlate schema-mutation events with the identity of the calling user; flag events lacking an authenticated principal.
- Baseline legitimate builder activity and alert on webhook schema changes outside change-management windows.
Monitoring Recommendations
- Enable verbose access logging on the Budibase application tier and any fronting load balancer or web application firewall.
- Forward Budibase logs to a centralized analytics platform and create alerts for access to builder routes from non-builder IP ranges.
- Monitor automation trigger configuration changes and alert on schema differences detected between scheduled snapshots.
How to Mitigate CVE-2026-48151
Immediate Actions Required
- Upgrade Budibase to version 3.39.0 or later on all self-hosted instances.
- Restrict network exposure of the Budibase builder interface to trusted administrative networks or VPN users.
- Review existing webhooks and automation trigger schemas for unauthorized modifications.
Patch Information
The vulnerability is fixed in Budibase 3.39.0. The patch ensures the authorization middleware no longer skips authorization for the webhook schema-building endpoint. Details are published in the GitHub Security Advisory GHSA-qhv3-wjg8-6fx6.
Workarounds
- Place the Budibase builder behind an authenticating reverse proxy that blocks unauthenticated requests to /api/webhooks/schema.
- Use a web application firewall rule to deny external requests to /api/webhooks/* paths until the upgrade is applied.
- Limit builder role access and rotate any webhook identifiers that may have been exposed publicly.
# Example NGINX rule to block unauthenticated access to the vulnerable endpoint
location = /api/webhooks/schema {
# Require authenticated session cookie before proxying
if ($cookie_budibase_auth = "") {
return 401;
}
proxy_pass http://budibase_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
