CVE-2026-50136
Analyzed Analyzed - Analysis Complete

Unauthenticated S3 Presigned URL Generation in Budibase

Vulnerability report for CVE-2026-50136, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values. This vulnerability is fixed in 3.39.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-30
Generated
2026-07-17
AI Q&A
2026-06-27
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.39.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, in versions prior to 3.39.3. The application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. This endpoint is only protected by recaptcha middleware and does not require any authentication or permission checks. As a result, anyone who knows a workspace ID and S3 datasource ID can request a signed upload URL for any bucket and key values they control.

Detection Guidance

This vulnerability involves an unauthenticated endpoint in Budibase servers prior to version 3.39.3 that generates S3 presigned PUT URLs when provided with a workspace ID and S3 datasource ID.

To detect exploitation attempts or presence of this vulnerability on your network or system, you can monitor HTTP requests targeting the Budibase application server for calls to the endpoint that generates presigned S3 upload URLs.

Since the endpoint requires only a workspace ID and S3 datasource ID, you can look for unusual or repeated requests containing these parameters, especially those that include arbitrary bucket and key values.

Suggested commands to detect such activity include using network traffic inspection tools or web server logs filtering for relevant request patterns.

  • Using grep on web server logs to find requests to the presigned URL generation endpoint, for example: grep -i 'PUT' /var/log/nginx/access.log | grep 'workspaceId='
  • Using tcpdump or tshark to capture HTTP traffic and filter for requests containing workspace ID and S3 datasource ID parameters.
  • Example tshark command: tshark -Y 'http.request.uri contains "workspaceId" and http.request.uri contains "datasourceId"' -T fields -e http.request.full_uri
  • Review application logs for unauthenticated requests to the presigned URL endpoint, especially those bypassing authentication but passing reCAPTCHA middleware.
Impact Analysis

The vulnerability allows an attacker to generate presigned S3 upload URLs without authentication or permission checks. This can lead to unauthorized data uploads to S3 buckets controlled by the attacker, potentially resulting in data integrity issues, unauthorized data injection, or abuse of storage resources. The CVSS score of 7.4 indicates a high severity with impacts on confidentiality, integrity, and availability.

Compliance Impact

This vulnerability allows unauthenticated users to generate presigned S3 PutObject URLs using credentials stored in a workspace datasource, potentially enabling unauthorized data uploads to attacker-controlled buckets.

Such unauthorized access and potential data manipulation could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over data access and integrity.

Because the endpoint lacks proper authentication and permission checks, organizations using affected versions of Budibase may face compliance risks related to unauthorized data exposure or modification.

Mitigation Strategies

The vulnerability is fixed in Budibase version 3.39.3. The immediate step to mitigate this vulnerability is to upgrade the Budibase application server to version 3.39.3 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50136. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart