Vulnerability in Budibase Low-Code Platform's Authentication Middleware
CVE-2026-41428

9.1CRITICAL

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41428?

Budibase, an open-source low-code platform, has a vulnerability in its authentication middleware that can allow unauthorized access to protected API endpoints. Prior to version 3.35.4, the middleware used unanchored regular expressions for matching public endpoint patterns against incoming requests. Because the ctx.request.url in the Koa framework includes the query string, attackers can exploit this by appending recognized public endpoint paths as query parameters. For instance, an attacker can bypass authentication by utilizing a request like POST /api/global/users/search?x=/api/system/status, which successfully triggers the regex match without proper authorization. This flaw has been addressed in version 3.35.4, making upgrade essential for all users.

Affected Version(s)

budibase < 3.35.4

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41428 Data

JSON