CVE-2026-50132
Received Received - Intake
Account Linking Without Consent in Budibase

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (Slack/Discord/MS Teams) to an authenticated Budibase user account, with no consent UI and no CSRF protection. The session token in the URL is created by the attacker (from their own /link slash command) and embeds the attacker's externalUserId. When an authenticated Budibase victim visits the URL, their account is silently and permanently linked to the attacker's Slack/Discord identity. The server responds with "Authentication succeeded." β€” no indication of what was linked. This vulnerability is fixed in 3.39.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-50132
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase 3.39.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Budibase versions prior to 3.39.0. It involves a public API endpoint that does not require authentication but performs a permanent, state-changing operation. Specifically, the endpoint binds an external chat identity (such as Slack, Discord, or MS Teams) to an authenticated Budibase user account without the user's consent or any CSRF protection.

An attacker can create a session token embedding their own external user ID and trick an authenticated Budibase user into visiting a URL containing this token. When the victim visits the URL, their Budibase account is silently and permanently linked to the attacker's external chat identity. The server responds with a message indicating authentication succeeded, but does not inform the user about the linking.

Impact Analysis

This vulnerability can lead to unauthorized linking of your Budibase user account to an attacker's external chat identity without your knowledge or consent.

Such unauthorized linking could allow the attacker to impersonate you or gain unauthorized access to systems or communications that trust the linked external identity.

Because the operation is permanent and silent, you may not be aware that your account has been compromised in this way.

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.39.0 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50132. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart