Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50132

CVE-2026-50132: Budibase Auth Bypass Vulnerability

CVE-2026-50132 is an authentication bypass flaw in Budibase that allows attackers to hijack user accounts by linking them to attacker-controlled chat identities without consent. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-50132 Overview

Budibase is an open-source low-code platform used to build internal tools and business applications. CVE-2026-50132 affects Budibase versions prior to 3.39.0. The vulnerability resides in the GET /api/chat-links/:instance/:token/handoff endpoint, which is publicly accessible without authentication yet performs a permanent, state-changing operation. When an authenticated Budibase victim visits an attacker-crafted URL, the server silently binds the victim's account to the attacker's external chat identity (Slack, Discord, or Microsoft Teams). The endpoint lacks both a consent interface and Cross-Site Request Forgery (CSRF) protection.

Critical Impact

An attacker can permanently hijack the chat-identity binding of any authenticated Budibase user, gaining persistent unauthorized access to that user's account via chat integrations.

Affected Products

  • Budibase versions prior to 3.39.0
  • Deployments using Slack, Discord, or Microsoft Teams chat integrations
  • Self-hosted and cloud Budibase instances exposing the chat-links API

Discovery Timeline

  • 2026-06-26 - CVE-2026-50132 published to NVD
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-50132

Vulnerability Analysis

The flaw is a Cross-Site Request Forgery (CSRF) issue combined with broken access control [CWE-284]. The endpoint GET /api/chat-links/:instance/:token/handoff accepts a session token embedded directly in the URL path. The attacker generates this token from their own /link slash command in Slack, Discord, or Microsoft Teams. The token embeds the attacker's externalUserId.

When the victim, already authenticated to Budibase, clicks the URL, the browser transmits their session cookies automatically. The server accepts the request, resolves the victim's authenticated identity, and binds it to the attacker-controlled external chat identity. The response returns only "Authentication succeeded." and reveals nothing about the linking operation.

Root Cause

The root cause is the use of a state-changing GET request without CSRF protection or user consent verification. The endpoint conflates authentication of the Budibase session with authorization to perform account linking. The token in the URL authenticates the external identity but not the intent of the Budibase user to consent to the binding.

Attack Vector

Exploitation requires the victim to be authenticated to Budibase and to visit an attacker-supplied URL. The attacker generates the handoff URL from their own chat account using the /link slash command. They then deliver the URL via phishing, embedded content, or any channel that renders links. Once visited, the binding is permanent and grants the attacker persistent access to the victim's account through chat-based interactions.

No verified exploit code is publicly available. Refer to the Budibase GitHub Security Advisory GHSA-v7j5-vc4m-723w for authoritative technical details.

Detection Methods for CVE-2026-50132

Indicators of Compromise

  • Access log entries containing GET /api/chat-links/ followed by /handoff from browser user agents with valid session cookies
  • Unexpected chat identity bindings in the Budibase user database that do not correspond to user-initiated /link commands
  • Server responses containing the literal string "Authentication succeeded." on the handoff endpoint

Detection Strategies

  • Audit application logs for requests to the /api/chat-links/:instance/:token/handoff route and correlate them with the referring domain
  • Review the internal chat-identity mapping table for bindings created without a corresponding audit trail of user consent
  • Alert on handoff requests where the Referer header points to an untrusted external domain

Monitoring Recommendations

  • Ingest Budibase reverse proxy and application logs into a centralized log platform and hunt for the handoff path pattern
  • Monitor for chat-link bindings created outside expected onboarding workflows or from unusual IP ranges
  • Track user reports of unauthorized chat commands executing under their Budibase identity

How to Mitigate CVE-2026-50132

Immediate Actions Required

  • Upgrade all Budibase deployments to version 3.39.0 or later without delay
  • Audit existing chat-identity bindings and revoke any that cannot be attributed to legitimate user actions
  • Notify users of the chat integration risk and require re-verification of Slack, Discord, and Microsoft Teams links

Patch Information

Budibase resolved the vulnerability in version 3.39.0. The fix introduces authentication, consent, and CSRF controls on the handoff endpoint. Details are available in the Budibase GitHub Security Advisory GHSA-v7j5-vc4m-723w.

Workarounds

  • Block access to the /api/chat-links/*/handoff path at the reverse proxy or web application firewall (WAF) until the upgrade is applied
  • Disable Slack, Discord, and Microsoft Teams chat integrations in Budibase configuration if they are not required
  • Restrict Budibase access to authenticated corporate networks to limit exposure to phishing-delivered handoff URLs
bash
# Example NGINX rule to block the vulnerable endpoint until patched
location ~ ^/api/chat-links/[^/]+/[^/]+/handoff$ {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.