CVE-2026-50136
Received Received - Intake
Unauthenticated S3 Presigned URL Generation in Budibase

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values. This vulnerability is fixed in 3.39.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-50136
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase 3.39.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, in versions prior to 3.39.3. The application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. This endpoint is only protected by recaptcha middleware and does not require any authentication or permission checks. As a result, anyone who knows a workspace ID and S3 datasource ID can request a signed upload URL for any bucket and key values they control.

Impact Analysis

The vulnerability allows an attacker to generate presigned S3 upload URLs without authentication or permission checks. This can lead to unauthorized data uploads to S3 buckets controlled by the attacker, potentially resulting in data integrity issues, unauthorized data injection, or abuse of storage resources. The CVSS score of 7.4 indicates a high severity with impacts on confidentiality, integrity, and availability.

Mitigation Strategies

The vulnerability is fixed in Budibase version 3.39.3. The immediate step to mitigate this vulnerability is to upgrade the Budibase application server to version 3.39.3 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50136. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart