A vulnerability was found in budibase up to 3.38.x. It has been rated as problematic. This affects the function packages/server/src/api/controllers/static/index.ts::getSignedUploadURL of the file /api/attachments. This manipulation causes missing authorization. This vulnerability is tracked as CVE-2026-50137. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.
| Vendor | Product | Versions |
|---|---|---|
| budiba | budibase | < 3.39.0 |
Updated description with new details, changed severity to HIGH, set CVSS estimate to 7.5, updated CWE to CWE-287, and noted that no exploit exists.
Initial creation
