CVE-2026-54351
Received Received - Intake
Mass Assignment in Budibase Webhook Trigger

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger() allows an attacker to overwrite the internal appId property by including it in the webhook POST body. When the automation is processed asynchronously (the default path for webhooks without a collect step), the worker executes the attacker-defined automation in the context of the victim's workspace, granting full read/write access to the victim's database. This vulnerability is fixed in 3.39.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-54351
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.39.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.39.9. The webhook trigger endpoint is publicly accessible and accepts the full HTTP request body as parameters for automation execution. Due to a mass assignment vulnerability in the externalTrigger() function, an attacker can overwrite the internal appId property by including it in the webhook POST body.

When the automation is processed asynchronously (which is the default for webhooks without a collect step), the worker executes the attacker-defined automation within the victim's workspace context. This grants the attacker full read and write access to the victim's database.

This vulnerability is fixed in Budibase version 3.39.9.

Impact Analysis

An attacker exploiting this vulnerability can gain full read and write access to your Budibase workspace database. This means they can view, modify, or delete data stored within your application.

Because the attacker can execute automation in the context of your workspace, they could potentially manipulate workflows, inject malicious data, or disrupt normal operations.

The CVSS score of 8.2 indicates a high severity, meaning the impact on confidentiality and integrity is significant, though availability is not affected.

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.39.9 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart