Cross-Site Request Forgery Vulnerability in Budibase Low-Code Platform
CVE-2026-48147

6.5MEDIUM

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-48147?

The Budibase low-code platform, prior to version 3.35.4, suffers from a Cross-Site Request Forgery vulnerability due to the improper handling of route patterns in its middleware. The buildMatcherRegex() and matches() functions create unanchored regular expressions, which are subsequently used to test incoming requests against the full URL, including query strings. This flawed validation mechanism allows unauthenticated attackers to forge malicious cross-origin requests to any Worker API endpoint. By exploiting this vulnerability, attackers can perform actions such as sending invite requests to administrators, altering global settings, and managing user accounts without the requisite CSRF token validation. This issue is effectively mitigated in version 3.35.4.

Affected Version(s)

budibase < 3.35.4

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48147 Data

JSON