CVE-2026-31816
published 2026-03-09CVE-2026-31816: Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware…
PriorityP192critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
15.34%
96.4th percentile
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| budibase | backend-core | >= 0 < 3.35.4 | 3.35.4 |
| budibase | budibase | <= 3.31.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect requests where the query string contains a webhook path pattern (e.g., '/webhooks/trigger') appended to any API endpoint URL, which is the bypass technique exploiting the unanchored regex in isWebhookEndpoint(). ↗
- →Alert on unauthenticated POST requests to Budibase API endpoints (e.g., /api/*) that contain '/webhooks/' in the query string rather than the path. ↗
- →Use the Nuclei template matcher logic: HTTP 200 response with Content-Type application/json and body containing 'email', 'roleId', and 'status' fields in response to an unauthenticated /api/ta_users/search?/webhooks/trigger request indicates successful exploitation. ↗
- ·The bypass works with any webhook pattern variant in the query string, not just '/webhooks/trigger'. Defenders should account for all webhook path patterns matched by the unanchored regex. ↗
- ·The vulnerability affects Budibase version 3.31.4 and earlier. The Nuclei template targets /api/ta_users/search as a proof-of-concept endpoint, but any server-side API endpoint is exploitable. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
ghsa·2026-06-12·CVSS 9.1
CVE-2026-48147 [CRITICAL] CWE-185 Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
### Summary
The `buildMatcherRegex()` / `matches()` functions in `packages/backend-core/src/middleware/matchers.ts` share the same structural root cause as the recently patched CVE-2026-31816: route patterns are compiled into **unanchored regular expressions** and tested against `ctx.request.url`, which includes the full query string. The CSRF middleware in the Budibase Worker uses this matching system to decide whether to skip CSRF token validation. An unauthenticated attacker can forge state-changing cross-origin requests against any Worker API endpoint by injecting a public route pattern into the query string, causing the CSRF middleware to skip token validation entirely. This
VulnCheck
budibase budibase Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2026·CVSS 9.1
CVE-2026-31816 [CRITICAL] budibase budibase Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
budibase budibase Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can acc
No detection rules found.
Nuclei
Budibase - Authentication Bypass
nuclei·CVSS 9.1
CVE-2026-31816 [CRITICAL] Budibase - Authentication Bypass
Budibase - Authentication Bypass
Budibase <= 3.31.4 contains an authentication bypass caused by unanchored regex in authorized() middleware matching webhook path patterns in query strings, letting unauthenticated remote attackers access any server-side API endpoint, exploit requires crafted request with webhook pattern in URL.
Template:
id: CVE-2026-31816
info:
name: Budibase - Authentication Bypass
author: theamanrawat
severity: critical
description: |
Budibase <= 3.31.4 contains an authentication bypass caused by unanchored regex in authorized() middleware matching webhook path patterns in query strings, letting unauthenticated remote attackers access any server-side API endpoint, exploit requires crafted request with webhook pattern in URL.
impact: |
Unauthenticated remote attackers
2026-03-09
Published
Exploited in the wild