CVE-2026-48151
Unauthenticated Webhook Schema Modification in Budibase
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | 3.39.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48151 is a vulnerability in Budibase versions prior to 3.39.0 involving an authorization bypass in the webhook schema-building endpoint.
The webhook schema endpoint is registered under builder-only routes, but a generic authorization middleware skips authorization for all webhook schema paths. This allows an unauthenticated attacker to update the body schema of known webhooks and mutate the corresponding automation trigger output schema.
As a result, attackers can send crafted requests to modify webhook and automation schema metadata without any privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability primarily impacts data integrity by allowing unauthorized modifications to webhook and automation schemas.
Such unauthorized changes can corrupt automation definitions, alter downstream binding behavior, and disrupt workflows that rely on webhook triggers.
There is no direct impact on confidentiality or availability, but the disruption of automated processes can affect business operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized updates to the webhook schema via the /api/webhooks/schema endpoint without authentication.
To detect exploitation attempts on your network or system, monitor HTTP requests targeting the /api/webhooks/schema path, especially those that attempt to modify webhook schemas.
You can use network monitoring tools or command-line utilities to filter and inspect such requests.
- Using tcpdump to capture HTTP traffic to the vulnerable endpoint: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep '/api/webhooks/schema'
- Using curl to test if the endpoint is accessible without authentication: curl -X POST http://your-budibase-instance/api/webhooks/schema -d '{"test":"data"}' -v
- Checking application logs for unauthorized schema update attempts or unusual POST requests to /api/webhooks/schema.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Budibase to version 3.39.0 or later, where this vulnerability is fixed.
Until the upgrade can be performed, restrict access to the /api/webhooks/schema endpoint by implementing network-level controls such as firewall rules or reverse proxy restrictions to block unauthenticated access.
Additionally, monitor logs and network traffic for suspicious activity targeting the webhook schema endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability primarily impacts data integrity by allowing unauthorized modification of webhook and automation schemas without affecting confidentiality or availability.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized data manipulation could potentially lead to non-compliance issues if automation triggers or workflows handling regulated data are altered maliciously.
However, there is no direct information provided about specific effects on compliance with these regulations.