CVE-2026-50137
Received Received - Intake
Unauthenticated S3 URL Generation in Budibase

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can call this endpoint with no auth and obtain a 15-minute pre-signed PUT URL minted on the victim's IAM identity. The endpoint also returns the publicUrl so the attacker knows exactly where their PUT lands. Because bucket is attacker-controlled, the attacker can write to any bucket those IAM credentials can write to, not only the bucket the datasource was configured for. The Budibase server route POST /api/attachments/:datasourceId/url (packages/server/src/api/routes/static.ts) is registered with only the recaptcha middleware. There is no authorized(...) middleware in the chain. The controller (packages/server/src/api/controllers/static/index.ts::getSignedUploadURL) looks the requested datasource up, instantiates an AWS S3 client with the datasource's stored accessKeyId / secretAccessKey, and returns an AWS Signature V4 pre-signed PutObjectCommand URL for the caller-supplied bucket and key. The bucket is not pinned to the datasource's configured bucket. The workspace context required by sdk.datasources.get is sourced by getWorkspaceIdFromCtx (packages/backend-core/src/utils/utils.ts) from any of: the x-budibase-app-id header, the JSON body appId, a path segment that begins with the workspace prefix, or ?appId=. auth.buildAuthMiddleware([], { publicAllowed: true }) runs before any of this and explicitly allows anonymous requests. The currentWorkspace middleware's "deny access to dev preview" branch only triggers under isBrowser(ctx) && !isApiKey(ctx); isBrowser checks the parsed User-Agent for a recognised browser, so any non-browser client (curl, the supplied PoC, any tool not setting a browser UA) is neither and reaches dev workspaces too. This vulnerability is fixed in 3.39.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-50137
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.39.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Budibase, an open-source low-code platform, prior to version 3.39.0. An anonymous attacker who knows or can guess a workspace ID and an S3-source datasource ID can call a specific endpoint without authentication to obtain a 15-minute pre-signed PUT URL. This URL is minted using the victim's IAM identity, allowing the attacker to upload files to any S3 bucket that the victim's IAM credentials have write access to, not just the bucket configured for the datasource.

The vulnerable endpoint is POST /api/attachments/:datasourceId/url, which is protected only by recaptcha middleware but lacks proper authorization checks. The attacker also receives the public URL where the uploaded file will be accessible. Because the bucket is attacker-controlled, this allows the attacker to write arbitrary data to any bucket accessible by the victim's IAM credentials.

The vulnerability arises because the server does not restrict the bucket parameter to the configured datasource bucket and allows anonymous requests, enabling exploitation by non-browser clients. This issue was fixed in Budibase version 3.39.0.

Impact Analysis

This vulnerability can have serious security impacts. An attacker can upload arbitrary files to any S3 bucket that the victim's IAM credentials can write to, potentially leading to unauthorized data modification, data injection, or storage of malicious content.

Because the attacker obtains a pre-signed URL with the victim's IAM identity, this could lead to privilege escalation or abuse of the victim's AWS resources. It may also result in data integrity issues, unauthorized resource usage, or exposure of sensitive data if the uploaded content is accessible publicly.

Mitigation Strategies

The vulnerability is fixed in Budibase version 3.39.0. Immediate mitigation involves upgrading Budibase to version 3.39.0 or later.

Since the vulnerability allows anonymous attackers to obtain pre-signed PUT URLs without authentication, restricting access to the affected endpoint or adding proper authorization middleware before the upgrade can help mitigate the risk temporarily.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50137. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart