CVE-2026-50137
Analyzed Analyzed - Analysis Complete

Unauthenticated S3 URL Generation in Budibase

Vulnerability report for CVE-2026-50137, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can call this endpoint with no auth and obtain a 15-minute pre-signed PUT URL minted on the victim's IAM identity. The endpoint also returns the publicUrl so the attacker knows exactly where their PUT lands. Because bucket is attacker-controlled, the attacker can write to any bucket those IAM credentials can write to, not only the bucket the datasource was configured for. The Budibase server route POST /api/attachments/:datasourceId/url (packages/server/src/api/routes/static.ts) is registered with only the recaptcha middleware. There is no authorized(...) middleware in the chain. The controller (packages/server/src/api/controllers/static/index.ts::getSignedUploadURL) looks the requested datasource up, instantiates an AWS S3 client with the datasource's stored accessKeyId / secretAccessKey, and returns an AWS Signature V4 pre-signed PutObjectCommand URL for the caller-supplied bucket and key. The bucket is not pinned to the datasource's configured bucket. The workspace context required by sdk.datasources.get is sourced by getWorkspaceIdFromCtx (packages/backend-core/src/utils/utils.ts) from any of: the x-budibase-app-id header, the JSON body appId, a path segment that begins with the workspace prefix, or ?appId=. auth.buildAuthMiddleware([], { publicAllowed: true }) runs before any of this and explicitly allows anonymous requests. The currentWorkspace middleware's "deny access to dev preview" branch only triggers under isBrowser(ctx) && !isApiKey(ctx); isBrowser checks the parsed User-Agent for a recognised browser, so any non-browser client (curl, the supplied PoC, any tool not setting a browser UA) is neither and reaches dev workspaces too. This vulnerability is fixed in 3.39.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-30
Generated
2026-07-17
AI Q&A
2026-06-27
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.39.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Budibase, an open-source low-code platform, prior to version 3.39.0. An anonymous attacker who knows or can guess a workspace ID and an S3-source datasource ID can call a specific endpoint without authentication to obtain a 15-minute pre-signed PUT URL. This URL is minted using the victim's IAM identity, allowing the attacker to upload files to any S3 bucket that the victim's IAM credentials have write access to, not just the bucket configured for the datasource.

The vulnerable endpoint is POST /api/attachments/:datasourceId/url, which is protected only by recaptcha middleware but lacks proper authorization checks. The attacker also receives the public URL where the uploaded file will be accessible. Because the bucket is attacker-controlled, this allows the attacker to write arbitrary data to any bucket accessible by the victim's IAM credentials.

The vulnerability arises because the server does not restrict the bucket parameter to the configured datasource bucket and allows anonymous requests, enabling exploitation by non-browser clients. This issue was fixed in Budibase version 3.39.0.

Detection Guidance

This vulnerability involves an unauthenticated POST request to the Budibase server endpoint /api/attachments/:datasourceId/url that returns a pre-signed AWS S3 PUT URL. Detection can focus on identifying such unauthenticated requests to this endpoint, especially those that include workspace ids (app_...) and datasource ids (ds_...).

To detect exploitation attempts on your network or system, you can monitor HTTP POST requests to the /api/attachments/ endpoint that lack authentication headers but include suspicious workspace or datasource identifiers.

Example commands to detect such activity using common tools:

  • Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'POST /api/attachments/'
  • Using grep on web server logs to find unauthenticated POST requests to the endpoint: grep 'POST /api/attachments/' /var/log/nginx/access.log | grep -v 'Authorization'
  • Using curl to test if the endpoint is accessible without authentication by sending a POST request with example workspace and datasource ids: curl -X POST https://your-budibase-server/api/attachments/ds_example/url -d '{"appId":"app_example"}' -H 'Content-Type: application/json'

Monitoring for unexpected pre-signed URL generation or unusual S3 PUT operations using AWS CloudTrail or S3 access logs can also help detect exploitation.

Impact Analysis

This vulnerability can have serious security impacts. An attacker can upload arbitrary files to any S3 bucket that the victim's IAM credentials can write to, potentially leading to unauthorized data modification, data injection, or storage of malicious content.

Because the attacker obtains a pre-signed URL with the victim's IAM identity, this could lead to privilege escalation or abuse of the victim's AWS resources. It may also result in data integrity issues, unauthorized resource usage, or exposure of sensitive data if the uploaded content is accessible publicly.

Mitigation Strategies

The vulnerability is fixed in Budibase version 3.39.0. Immediate mitigation involves upgrading Budibase to version 3.39.0 or later.

Since the vulnerability allows anonymous attackers to obtain pre-signed PUT URLs without authentication, restricting access to the affected endpoint or adding proper authorization middleware before the upgrade can help mitigate the risk temporarily.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50137. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart