CVE-2026-50137 Overview
CVE-2026-50137 is a missing authorization vulnerability [CWE-862] in Budibase, an open-source low-code platform. Versions prior to 3.39.0 expose the POST /api/attachments/:datasourceId/url endpoint without any authentication middleware. An unauthenticated attacker who can enumerate a workspace identifier (app_...) and an S3-source datasource identifier (ds_...) can request a 15-minute pre-signed PUT URL minted with the victim's stored IAM credentials. The endpoint accepts an attacker-controlled bucket name, allowing writes to any bucket reachable by those credentials.
Critical Impact
Anonymous attackers can obtain AWS Signature V4 pre-signed PUT URLs using a victim's IAM identity and write arbitrary objects to any bucket those credentials can access.
Affected Products
- Budibase versions prior to 3.39.0
- Budibase self-hosted deployments exposing the /api/attachments route
- Budibase workspaces with configured S3-source datasources
Discovery Timeline
- 2026-06-26 - CVE-2026-50137 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-50137
Vulnerability Analysis
The flaw resides in the Budibase server route POST /api/attachments/:datasourceId/url, defined in packages/server/src/api/routes/static.ts. The route is registered with only the reCAPTCHA middleware. No authorized(...) middleware is present in the handler chain. The controller getSignedUploadURL in packages/server/src/api/controllers/static/index.ts loads the requested datasource, instantiates an AWS S3 client with the datasource's stored accessKeyId and secretAccessKey, and returns a pre-signed PutObjectCommand URL. The response also includes the publicUrl, telling the attacker exactly where the uploaded object lands.
Root Cause
The route lacks an authorization guard. auth.buildAuthMiddleware([], { publicAllowed: true }) runs earlier in the chain and explicitly permits anonymous requests. The workspace context needed by sdk.datasources.get is resolved by getWorkspaceIdFromCtx in packages/backend-core/src/utils/utils.ts, which accepts the workspace identifier from the x-budibase-app-id header, the JSON body appId, a path segment starting with the workspace prefix, or the ?appId= query parameter. The controller does not pin the pre-signed URL to the datasource's configured bucket, so the attacker supplies any bucket name.
Attack Vector
An unauthenticated attacker enumerates or discovers a workspace ID and an S3 datasource ID. The attacker sends a crafted request to the vulnerable endpoint using any non-browser HTTP client such as curl. The currentWorkspace middleware's "deny access to dev preview" branch only triggers when isBrowser(ctx) && !isApiKey(ctx) evaluates true. isBrowser inspects the parsed User-Agent, so any client not sending a recognised browser UA also reaches dev workspaces. The server returns a 15-minute pre-signed PUT URL signed with the victim's IAM identity, which the attacker uses to upload objects to any writable bucket.
No verified public proof-of-concept code is published in the enriched data. See the Budibase GitHub Security Advisory for the maintainers' technical description.
Detection Methods for CVE-2026-50137
Indicators of Compromise
- Unauthenticated HTTP POST requests to /api/attachments/:datasourceId/url on Budibase servers.
- Requests to Budibase endpoints from non-browser User-Agent strings such as curl, python-requests, or empty UA headers combined with workspace and datasource identifiers.
- AWS CloudTrail PutObject events on buckets not owned by the Budibase workspace using the datasource's IAM identity.
Detection Strategies
- Inspect Budibase reverse-proxy and application logs for requests to /api/attachments/*/url lacking session cookies or API keys.
- Correlate pre-signed URL issuance with subsequent s3:PutObject calls in CloudTrail to buckets outside the expected datasource configuration.
- Alert on Budibase HTTP requests carrying x-budibase-app-id headers from anonymous sources.
Monitoring Recommendations
- Enable verbose access logging on the Budibase HTTP layer and forward to a centralized SIEM for retention.
- Monitor IAM credentials associated with Budibase S3 datasources for anomalous bucket targets and geographic origins.
- Track outbound requests from Budibase workers to unexpected AWS S3 endpoints and regions.
How to Mitigate CVE-2026-50137
Immediate Actions Required
- Upgrade Budibase to version 3.39.0 or later, which introduces the missing authorization check on the affected route.
- Rotate any accessKeyId and secretAccessKey values stored in S3-source datasources on affected instances.
- Audit AWS CloudTrail for unauthorized PutObject activity performed by the datasource IAM identities.
Patch Information
Budibase resolved this vulnerability in release 3.39.0. The fix adds the missing authorization middleware to the /api/attachments/:datasourceId/url route and prevents anonymous callers from invoking getSignedUploadURL. Refer to the Budibase GitHub Security Advisory GHSA-35c4-rvc8-frhm for release notes and remediation guidance.
Workarounds
- Restrict IAM permissions on datasource credentials to the specific bucket and prefix required, preventing writes to other buckets.
- Place Budibase behind a reverse proxy or WAF rule that blocks unauthenticated requests to /api/attachments/*/url.
- Remove or disable S3-source datasources on affected servers until the upgrade to 3.39.0 completes.
# Example WAF rule concept blocking unauthenticated requests to the vulnerable route
# Deny POST /api/attachments/*/url when no session cookie or API key header is present
location ~ ^/api/attachments/[^/]+/url$ {
if ($http_cookie !~* "budibase:sess") { return 403; }
proxy_pass http://budibase_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

