Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50136

CVE-2026-50136: Budibase Auth Bypass Vulnerability

CVE-2026-50136 is an authentication bypass flaw in Budibase that exposes unauthenticated S3 presigned URL generation, allowing attackers to upload to arbitrary buckets. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-50136 Overview

Budibase is an open-source low-code platform used to build internal tools and business applications. CVE-2026-50136 affects Budibase versions prior to 3.39.3. The application server exposes an unauthenticated endpoint that generates Amazon Simple Storage Service (S3) PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by reCAPTCHA middleware and does not require authentication, table permission, datasource permission, or builder access. This weakness is categorized as [CWE-306] Missing Authentication for Critical Function.

Critical Impact

A public caller who knows a workspace ID and S3 datasource ID can request signed upload URLs targeting attacker-controlled bucket and key values, abusing stored credentials.

Affected Products

  • Budibase versions prior to 3.39.3
  • Self-hosted Budibase application server deployments
  • Budibase workspaces configured with S3 datasources

Discovery Timeline

  • 2026-06-26 - CVE-2026-50136 published to the National Vulnerability Database
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-50136

Vulnerability Analysis

The Budibase application server exposes a route that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource configuration. The route accepts caller-supplied bucket and key parameters and signs them with the datasource's AWS credentials. Because the route requires no authentication and no permission checks, any network-reachable client can invoke it.

The endpoint is guarded only by reCAPTCHA middleware, which is intended to deter automated abuse rather than enforce access control. This design confuses bot mitigation with authentication. A caller who obtains or guesses a workspace ID and an S3 datasource ID can drive the endpoint to sign arbitrary upload requests.

Root Cause

The root cause is Missing Authentication for Critical Function [CWE-306]. A sensitive credential-using route was placed behind reCAPTCHA instead of the platform's authentication, table permission, datasource permission, or builder access controls. Presigned URL generation must treat stored cloud credentials as privileged material and enforce authorization on every use.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker enumerates or obtains a workspace ID and an S3 datasource ID, then sends a request to the presigned URL endpoint supplying an attacker-controlled bucket and key. The server returns a signed URL that can be used to upload objects using the datasource's AWS credentials, enabling integrity impact against attacker-selected S3 targets that the credentials can reach.

No verified public exploit code is available at this time. See the GitHub Security Advisory GHSA-jj36-r9w3-3pfh for vendor technical details.

Detection Methods for CVE-2026-50136

Indicators of Compromise

  • Requests to the Budibase presigned URL generation endpoint from unauthenticated sources or unusual IP ranges.
  • Outbound S3 PutObject operations from Budibase datasource credentials targeting buckets that are not part of the deployment's known S3 inventory.
  • CloudTrail PutObject events signed with Budibase-associated access keys but originating from external client IPs.

Detection Strategies

  • Inspect Budibase application server access logs for high-volume or anonymous requests to the presigned URL route with varying bucket and key values.
  • Correlate AWS CloudTrail activity for the access keys stored in Budibase S3 datasources against expected application workflows.
  • Alert on presigned URL generation requests that succeed without an authenticated session cookie or bearer token.

Monitoring Recommendations

  • Enable CloudTrail data events for S3 buckets referenced by Budibase datasources and forward them to a central analytics platform.
  • Baseline the normal set of buckets accessed by Budibase credentials and flag deviations.
  • Monitor reCAPTCHA challenge volume against the presigned URL endpoint to spot automated abuse patterns.

How to Mitigate CVE-2026-50136

Immediate Actions Required

  • Upgrade Budibase to version 3.39.3 or later on all self-hosted deployments.
  • Rotate AWS access keys used by any Budibase S3 datasource that existed on a vulnerable version.
  • Review CloudTrail history for the affected credentials and revoke any unauthorized objects uploaded to attacker-controlled buckets.

Patch Information

The vulnerability is fixed in Budibase 3.39.3. The vendor advisory is published at GitHub Security Advisory GHSA-jj36-r9w3-3pfh. Administrators should apply the update through their standard Budibase deployment process, whether Docker, Kubernetes, or the hosted upgrade path.

Workarounds

  • Restrict network access to the Budibase application server so that only trusted users can reach the API surface.
  • Scope IAM policies on Budibase S3 datasource credentials to specific buckets and prefixes, denying access to unrelated targets.
  • Remove S3 datasources from workspaces that do not require them until the upgrade to 3.39.3 is complete.
bash
# Example least-privilege IAM policy scoping Budibase S3 credentials to a single bucket
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:GetObject"],
      "Resource": "arn:aws:s3:::budibase-app-uploads/*"
    }
  ]
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.