Weakness in Budibase Open-Source Low-Code Platform Allows Unauthorized Account Linking
CVE-2026-50132

7.3HIGH

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-50132?

The Budibase platform, prior to version 3.39.0, contains a significant security vulnerability in its public API endpoint that allows an attacker to link their external chat identity (e.g., Slack, Discord, MS Teams) to a victim's user account without consent. This occurs via a malformed URL that an authenticated user inadvertently accesses, leading to unauthorized account modifications. The attack is facilitated by the absence of proper authentication and CSRF protection mechanisms, resulting in a silent and permanent link of the attacker's chat identity to the victim's account, associated with an 'Authentication succeeded' response. This flaw underscores the importance of implementing robust security measures for public endpoints.

Affected Version(s)

budibase < 3.39.0

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 3, 2026

CVE-2026-50132 Data

JSON