Zero Day MonitorZDM

← Back to list

7.4

CVE-2026-50136PATCHED

budiba · budiba

Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials

Description

Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values. This vulnerability is fixed in 3.39.3.

Affected Products

Vendor	Product	Versions
budiba	budiba	< 3.39.3

References

https://github.com/Budibase/budibase/security/advisories/GHSA-jj36-r9w3-3pfh(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB23h ago

CVE-2026-50136 | budibase up to 3.39.2 missing authentication (GHSA-jj36-r9w3-3pfh)

→ No new info (linked only)

CVSS 3.17.4 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

@budibase/server@3.39.2

CWECWE-306

PublishedJun 22, 2026

Last enriched22h agov2

Tags

GHSA-jj36-r9w3-3pfhnpm

Trending Score35

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-54350EXP

Budibase: Anonymous NoSQL operator injection via published-app query templates

HIGHCVE-2026-50132EXP

Budibase: Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation in Budibase

CRITICALCVE-2026-54353EXP

Budibase: Potential SSRF DNS rebinding bypass in outbound fetch validation

HIGHCVE-2026-50137EXP

Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials

CRITICALCVE-2026-54352

Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 22, 2026

Discovered by ZDM

Jun 22, 2026

Patch Available

Jun 27, 2026

Updated: severity

Jun 27, 2026

Version History

v2

Last enriched 22h ago

v2Tier C22h ago

Updated severity to CRITICAL and corrected exploit availability to false.

severity

via VulDB

v15d ago

Initial creation