CVE-2026-31816
Received Received - Intake
Authentication Bypass in Budibase Server via Webhook Regex Flaw

Publication date: 2026-03-09

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31816
EUVD
EUVD-2026-10358
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.31.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-31816 is a critical authentication bypass vulnerability in Budibase server version 3.31.4 and earlier. The vulnerability exists because the server's authorized() middleware, which protects all server-side API endpoints, can be bypassed by appending a webhook path pattern (such as ?/webhooks/trigger) to the query string of any request."}, {'type': 'paragraph', 'content': 'This happens because the isWebhookEndpoint() function uses an unanchored regular expression to test the full request URL including query parameters. When the regex matches the webhook pattern anywhere in the URL, the authorized() middleware skips all authentication, authorization, role checks, and CSRF protection by immediately calling next().'}, {'type': 'paragraph', 'content': 'As a result, an unauthenticated remote attacker can access any server-side API endpoint by simply appending a webhook pattern to the URL, bypassing all security controls.'}] [1]

Impact Analysis

This vulnerability allows a completely unauthenticated attacker to fully compromise Budibase server instances running the vulnerable version.

  • Complete authentication bypass on all server-side API endpoints.
  • Full Create, Read, Update, Delete (CRUD) access to all application data including tables, rows, automations, data sources, queries, views, and plugins.
  • Bypassing of all authorization, role checks, and CSRF protection.
  • Remote exploitation over the network with no user interaction or privileges required.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to access Budibase server-side API endpoints with a webhook path pattern appended to the query string, such as `?/webhooks/trigger`. If the server responds without requiring authentication, it indicates the presence of the vulnerability.

Proof-of-Concept commands to test for the vulnerability include sending HTTP requests with the webhook pattern appended to various API endpoints, for example:

  • POST request to `/api/ta_users/search?/webhooks/trigger` to check if user data can be read without authentication.
  • POST request to `/api/tables?/webhooks/trigger` to test if a table can be created without authentication.
  • DELETE request to `/api/tables/<TABLE_ID>/<TABLE_REV>?/webhooks/trigger` to test if a table can be deleted without authentication.
  • Appending `?/webhooks/trigger` to other API endpoints like data sources, automations, roles, integrations, views, and plugins to check for unauthorized access.
Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31816. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart