Improper Authentication in Budibase Low-Code Platform
CVE-2026-50137

8.2HIGH

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-50137?

Budibase, a popular open-source low-code platform, is vulnerable to improper authentication due to insufficient access controls in its API. An unauthenticated attacker who can identify a workspace ID and an S3 data source can exploit the /api/attachments/:datasourceId/url endpoint. This allows them to receive a 15-minute pre-signed PUT URL linked to the victim's IAM identity without any authentication. The attack empowers the intruder to write to any S3 bucket accessible by the compromised IAM credentials, not just the one configured for the data source. This exposure arises from the improper configuration of middleware protections, enabling anonymous requests to access sensitive resources. The vulnerability has been addressed in version 3.39.0 of Budibase.

Affected Version(s)

budibase < 3.39.0

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 3, 2026

CVE-2026-50137 Data

JSON