CVE-2026-50132
Analyzed Analyzed - Analysis Complete

Account Linking Without Consent in Budibase

Vulnerability report for CVE-2026-50132, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (Slack/Discord/MS Teams) to an authenticated Budibase user account, with no consent UI and no CSRF protection. The session token in the URL is created by the attacker (from their own /link slash command) and embeds the attacker's externalUserId. When an authenticated Budibase victim visits the URL, their account is silently and permanently linked to the attacker's Slack/Discord identity. The server responds with "Authentication succeeded." β€” no indication of what was linked. This vulnerability is fixed in 3.39.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-30
Generated
2026-07-17
AI Q&A
2026-06-27
EPSS Evaluated
2026-07-16
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.39.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Budibase versions prior to 3.39.0. It involves a public API endpoint that does not require authentication but performs a permanent, state-changing operation. Specifically, the endpoint binds an external chat identity (such as Slack, Discord, or MS Teams) to an authenticated Budibase user account without the user's consent or any CSRF protection.

An attacker can create a session token embedding their own external user ID and trick an authenticated Budibase user into visiting a URL containing this token. When the victim visits the URL, their Budibase account is silently and permanently linked to the attacker's external chat identity. The server responds with a message indicating authentication succeeded, but does not inform the user about the linking.

Impact Analysis

This vulnerability can lead to unauthorized linking of your Budibase user account to an attacker's external chat identity without your knowledge or consent.

Such unauthorized linking could allow the attacker to impersonate you or gain unauthorized access to systems or communications that trust the linked external identity.

Because the operation is permanent and silent, you may not be aware that your account has been compromised in this way.

Compliance Impact

This vulnerability allows an attacker to silently and permanently link an authenticated user's Budibase account to the attacker's external chat identity without the user's consent or awareness.

Such unauthorized linking of user accounts and identities without explicit consent could lead to violations of privacy regulations like GDPR, which require informed consent for processing personal data.

Additionally, the lack of user interface consent and absence of CSRF protection increases the risk of unauthorized data processing and identity association, potentially impacting compliance with standards that mandate user consent and data protection controls.

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.39.0 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50132. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart