cbcvebase.
CVE-2026-31816
published 2026-03-09

CVE-2026-31816: Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware…

PriorityP192critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
15.34%
96.4th percentile
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL.

Affected

2 ranges
VendorProductVersion rangeFixed in
budibasebackend-core>= 0 < 3.35.43.35.4
budibasebudibase<= 3.31.4

Detection & IOCsextracted from sources · hover to see the quote

url/api/ta_users/search?/webhooks/trigger
other?/webhooks/trigger
  • Detect requests where the query string contains a webhook path pattern (e.g., '/webhooks/trigger') appended to any API endpoint URL, which is the bypass technique exploiting the unanchored regex in isWebhookEndpoint().
  • Alert on unauthenticated POST requests to Budibase API endpoints (e.g., /api/*) that contain '/webhooks/' in the query string rather than the path.
  • Use the Nuclei template matcher logic: HTTP 200 response with Content-Type application/json and body containing 'email', 'roleId', and 'status' fields in response to an unauthenticated /api/ta_users/search?/webhooks/trigger request indicates successful exploitation.
  • ·The bypass works with any webhook pattern variant in the query string, not just '/webhooks/trigger'. Defenders should account for all webhook path patterns matched by the unanchored regex.
  • ·The vulnerability affects Budibase version 3.31.4 and earlier. The Nuclei template targets /api/ta_users/search as a proof-of-concept endpoint, but any server-side API endpoint is exploitable.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.