Unauthorized API Access Vulnerability in Budibase Low Code Platform
CVE-2026-31816

9.1CRITICAL

Key Information:

Vendor

Budibase

Status
Budibase
Vendor
CVE Published:
9 March 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-31816?

Budibase, a low code platform for creating internal tools, exhibits a significant vulnerability in its server's authorization mechanism. In versions 3.31.4 and earlier, the 'authorized()' middleware designed to protect server-side API endpoints can be bypassed entirely by appending a specific webhook path to the query string of requests. The flawed regex implementation in the 'isWebhookEndpoint()' function allows attackers to circumvent necessary authentication and authorization checks with ease, thereby exposing sensitive server-side API endpoints to unverified users. This vulnerability enables remote attackers to access these endpoints without any authentication, leading to potential data leaks or unauthorized data manipulation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

budibase <= 3.31.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-31816-rshell
Created by imjdl

References

https://github.com/Budibase/budibase/security/advisories/...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.