Executive Summary

CVE-2026-42239 is a vulnerability in Budibase's authentication cookie configuration prior to version 3.35.10. The `budibase:auth` cookie, which contains the JWT session token, was set with `httpOnly: false`, allowing JavaScript to access it via `document.cookie`. This means that if an attacker exploits any cross-site scripting (XSS) vulnerability, they can steal the JWT token and take over the victim's account persistently.

Additionally, the cookie lacked the `secure: true` flag, so it could be sent over unencrypted HTTP connections, and it also missed the `sameSite` attribute, making it vulnerable to cross-site request forgery (CSRF) attacks.

This vulnerability was fixed in Budibase version 3.35.10 by setting the cookie with `httpOnly: true`, `secure: true`, and `sameSite: 'lax'` attributes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a full account takeover if an attacker exploits an XSS vulnerability to steal the JWT session token from the `budibase:auth` cookie.

Because the cookie is accessible via JavaScript and transmitted over unencrypted HTTP, attackers can gain persistent access to user accounts, compromising confidentiality and integrity.

Furthermore, the missing `sameSite` attribute exposes users to cross-site request forgery (CSRF) attacks, potentially allowing unauthorized actions on behalf of the user.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the budibase:auth cookie being set with httpOnly: false, allowing JavaScript access via document.cookie. To detect this on your system, you can inspect the cookies set by the Budibase application in your browser or via network traffic.

• In a browser, open developer tools, go to the Application tab, and check the cookies for budibase:auth. Verify if the httpOnly flag is missing.
• Use curl or similar tools to inspect the Set-Cookie header from the Budibase server responses, for example: curl -I http://your-budibase-instance | grep Set-Cookie
• Check if the cookie lacks the secure and sameSite attributes by analyzing the Set-Cookie header.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update Budibase to version 3.35.10 or later, where the vulnerability has been fixed.

If updating immediately is not possible, ensure that the budibase:auth cookie is configured with the following attributes:

• httpOnly: true — to prevent JavaScript access to the cookie.
• secure: true — to ensure the cookie is only sent over HTTPS.
• sameSite: 'lax' — to reduce the risk of cross-site request forgery (CSRF) attacks.

Additionally, review and fix any existing cross-site scripting (XSS) vulnerabilities, as they can be exploited to steal the JWT token due to this cookie misconfiguration.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to steal JWT session tokens via JavaScript access to the authentication cookie, leading to full account takeover and persistent unauthorized access.

Such unauthorized access and potential data breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data confidentiality and integrity.

The lack of secure cookie attributes (httpOnly, secure, sameSite) increases the risk of session hijacking and cross-site request forgery, which are critical security controls under these regulations.

Therefore, until patched, this vulnerability could lead to non-compliance with these standards due to insufficient protection of authentication tokens and user sessions.

Useful 0 Not Useful 0