CVE-2026-31816

CRITICAL EPSS 96.4%

Published Mar 9, 20263mo ago · Modified Jun 17, 20261w ago

9.1 CVSS 3.1

Critical

Published Mar 9, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL.

CVSS Details

Base Score

9.1

Exploitability

3.9

Impact

5.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

96.4% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-74

Affected Products 1

Vendor	Product	Version	Range
budibase	budibase	*	≤3.31.4

References 1

github.com https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.