CVE-2026-31816
Authentication Bypass in Budibase Server via Webhook Regex Flaw
Publication date: 2026-03-09
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.31.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-31816 is a critical authentication bypass vulnerability in Budibase server version 3.31.4 and earlier. The vulnerability exists because the server's authorized() middleware, which protects all server-side API endpoints, can be bypassed by appending a webhook path pattern (such as ?/webhooks/trigger) to the query string of any request."}, {'type': 'paragraph', 'content': 'This happens because the isWebhookEndpoint() function uses an unanchored regular expression to test the full request URL including query parameters. When the regex matches the webhook pattern anywhere in the URL, the authorized() middleware skips all authentication, authorization, role checks, and CSRF protection by immediately calling next().'}, {'type': 'paragraph', 'content': 'As a result, an unauthenticated remote attacker can access any server-side API endpoint by simply appending a webhook pattern to the URL, bypassing all security controls.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows a completely unauthenticated attacker to fully compromise Budibase server instances running the vulnerable version.
- Complete authentication bypass on all server-side API endpoints.
- Full Create, Read, Update, Delete (CRUD) access to all application data including tables, rows, automations, data sources, queries, views, and plugins.
- Bypassing of all authorization, role checks, and CSRF protection.
- Remote exploitation over the network with no user interaction or privileges required.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access Budibase server-side API endpoints with a webhook path pattern appended to the query string, such as `?/webhooks/trigger`. If the server responds without requiring authentication, it indicates the presence of the vulnerability.
Proof-of-Concept commands to test for the vulnerability include sending HTTP requests with the webhook pattern appended to various API endpoints, for example:
- POST request to `/api/ta_users/search?/webhooks/trigger` to check if user data can be read without authentication.
- POST request to `/api/tables?/webhooks/trigger` to test if a table can be created without authentication.
- DELETE request to `/api/tables/<TABLE_ID>/<TABLE_REV>?/webhooks/trigger` to test if a table can be deleted without authentication.
- Appending `?/webhooks/trigger` to other API endpoints like data sources, automations, roles, integrations, views, and plugins to check for unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
I don't know