CVE-2026-50136 Overview
Budibase is an open-source low-code platform used to build internal tools and business applications. CVE-2026-50136 affects Budibase versions prior to 3.39.3. The application server exposes an unauthenticated endpoint that generates Amazon Simple Storage Service (S3) PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by reCAPTCHA middleware and does not require authentication, table permission, datasource permission, or builder access. This weakness is categorized as [CWE-306] Missing Authentication for Critical Function.
Critical Impact
A public caller who knows a workspace ID and S3 datasource ID can request signed upload URLs targeting attacker-controlled bucket and key values, abusing stored credentials.
Affected Products
- Budibase versions prior to 3.39.3
- Self-hosted Budibase application server deployments
- Budibase workspaces configured with S3 datasources
Discovery Timeline
- 2026-06-26 - CVE-2026-50136 published to the National Vulnerability Database
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-50136
Vulnerability Analysis
The Budibase application server exposes a route that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource configuration. The route accepts caller-supplied bucket and key parameters and signs them with the datasource's AWS credentials. Because the route requires no authentication and no permission checks, any network-reachable client can invoke it.
The endpoint is guarded only by reCAPTCHA middleware, which is intended to deter automated abuse rather than enforce access control. This design confuses bot mitigation with authentication. A caller who obtains or guesses a workspace ID and an S3 datasource ID can drive the endpoint to sign arbitrary upload requests.
Root Cause
The root cause is Missing Authentication for Critical Function [CWE-306]. A sensitive credential-using route was placed behind reCAPTCHA instead of the platform's authentication, table permission, datasource permission, or builder access controls. Presigned URL generation must treat stored cloud credentials as privileged material and enforce authorization on every use.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker enumerates or obtains a workspace ID and an S3 datasource ID, then sends a request to the presigned URL endpoint supplying an attacker-controlled bucket and key. The server returns a signed URL that can be used to upload objects using the datasource's AWS credentials, enabling integrity impact against attacker-selected S3 targets that the credentials can reach.
No verified public exploit code is available at this time. See the GitHub Security Advisory GHSA-jj36-r9w3-3pfh for vendor technical details.
Detection Methods for CVE-2026-50136
Indicators of Compromise
- Requests to the Budibase presigned URL generation endpoint from unauthenticated sources or unusual IP ranges.
- Outbound S3 PutObject operations from Budibase datasource credentials targeting buckets that are not part of the deployment's known S3 inventory.
- CloudTrail PutObject events signed with Budibase-associated access keys but originating from external client IPs.
Detection Strategies
- Inspect Budibase application server access logs for high-volume or anonymous requests to the presigned URL route with varying bucket and key values.
- Correlate AWS CloudTrail activity for the access keys stored in Budibase S3 datasources against expected application workflows.
- Alert on presigned URL generation requests that succeed without an authenticated session cookie or bearer token.
Monitoring Recommendations
- Enable CloudTrail data events for S3 buckets referenced by Budibase datasources and forward them to a central analytics platform.
- Baseline the normal set of buckets accessed by Budibase credentials and flag deviations.
- Monitor reCAPTCHA challenge volume against the presigned URL endpoint to spot automated abuse patterns.
How to Mitigate CVE-2026-50136
Immediate Actions Required
- Upgrade Budibase to version 3.39.3 or later on all self-hosted deployments.
- Rotate AWS access keys used by any Budibase S3 datasource that existed on a vulnerable version.
- Review CloudTrail history for the affected credentials and revoke any unauthorized objects uploaded to attacker-controlled buckets.
Patch Information
The vulnerability is fixed in Budibase 3.39.3. The vendor advisory is published at GitHub Security Advisory GHSA-jj36-r9w3-3pfh. Administrators should apply the update through their standard Budibase deployment process, whether Docker, Kubernetes, or the hosted upgrade path.
Workarounds
- Restrict network access to the Budibase application server so that only trusted users can reach the API surface.
- Scope IAM policies on Budibase S3 datasource credentials to specific buckets and prefixes, denying access to unrelated targets.
- Remove S3 datasources from workspaces that do not require them until the upgrade to 3.39.3 is complete.
# Example least-privilege IAM policy scoping Budibase S3 credentials to a single bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:GetObject"],
"Resource": "arn:aws:s3:::budibase-app-uploads/*"
}
]
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

