Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials

Summary The Budibase server route POST /api/attachments/:datasourceId/url packages/server/src/api/routes/static.ts is registered with only the recaptcha middleware. There is no authorized... middleware in the chain. The controller...

Arbitrary Code Injection

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the calculation parameter in the V1 Views API, which is interpolated directly into a CouchDB reduce function without validation. An attacker can execute arbitrary...

Incorrect Authorization

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Incorrect Authorization through the row action trigger process. An attacker can gain unauthorized access to data and perform actions on database rows outside their permitted scope by supplying a...

@budibase/client (>=3.0.0 <=3.2.26), @budibase/server (>=3.0.0 <=3.2.26) potentially affected by CVE-2026-45716 via @budibase/frontend-core (>=3.0.0 <=3.2.7)

@budibase/frontend-core NPM version =3.0.0, =3.0.0, =3.0.0, =3.2.26 Source cves: CVE-2026-45716 Source advisory: SNYK:JS-BUDIBASEFRONTENDCORE-16759691...

Missing Authorization

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Missing Authorization via the PUT /api/datasources/:datasourceId route. An attacker can overwrite datasource connection parameters such as host, port, and url by sending crafted requests, which...

Server-side Request Forgery (SSRF)

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the req function. An attacker can access internal services and sensitive cloud metadata by leveraging HTTP redirects through an attacker-controlled server,...

Server-side Request Forgery (SSRF)

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the processUrlFile function. An attacker can access internal network resources and sensitive cloud metadata by supplying crafted URLs that target internal or...

@budibase/cli (>=3.0.0 <=3.2.26), @budibase/pro (>=3.0.0 <=3.2.26) +2 more potentially affected by CVE-2026-45061 via @budibase/backend-core (>=3.0.0 <=3.2.7)

@budibase/backend-core NPM version =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.2.26 Source cves: CVE-2026-45061 Source advisory: SNYK:JS-BUDIBASEBACKENDCORE-16759131...

Server-side Request Forgery (SSRF)

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the urlUpload function. An attacker can access internal network resources and sensitive metadata by submitting a crafted URL containing .tar.gz that bypasses...

@budibase/cli (>=3.0.0 <=3.2.26), @budibase/pro (>=3.0.0 <=3.2.26) +2 more potentially affected by CVE-2026-42239 via @budibase/backend-core (>=3.0.0 <=3.2.7)

@budibase/backend-core NPM version =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.2.26 Source cves: CVE-2026-42239 Source advisory: SNYK:JS-BUDIBASEBACKENDCORE-16318349...

@budibase/cli (>=3.0.0 <=3.2.26), @budibase/pro (>=3.0.0 <=3.2.26) +2 more potentially affected by CVE-2026-41428 via @budibase/backend-core (>=3.0.0 <=3.2.7)

@budibase/backend-core NPM version =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.2.26 Source cves: CVE-2026-41428 Source advisory: SNYK:JS-BUDIBASEBACKENDCORE-16115495...

budibase (>=0.0.3 <=0.0.31) potentially affected by CVE-2026-35216 via @budibase/server (>=0.0.1 <=0.0.9)

@budibase/server NPM version =0.0.1, =0.0.3, =0.0.31 Source cves: CVE-2026-35216 Source advisory: OSV:GHSA-FCM4-4PJ2-M5HF...

GHSA-FCM4-4PJ2-M5HF Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Summary An unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. Details...

Directory Traversal

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Directory Traversal via the fileUpload and the createTempFolder function. An attacker can delete arbitrary directories and write files to any location accessible by the Node.js process by...

@budibase/backend-core (>=3.0.0 <=3.2.26), @budibase/bbui (>=3.0.0 <=3.2.26) +7 more potentially affected by CVE-2026-35214 via @budibase/types (>=3.0.0 <=3.2.7)

@budibase/types NPM version =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.2.26 Source cves: CVE-2026-35214 Source advisory: SNYK:JS-BUDIBASETYPES-15917494...

Command Injection

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Command Injection via the bash automation step, which executes user-supplied input using execSync without proper sanitization or validation. An attacker can execute arbitrary system commands by...

budibase (>=0.0.3 <=0.0.31) potentially affected by CVE-2026-25044 via @budibase/server (>=0.0.1 <=0.0.9)

@budibase/server NPM version =0.0.1, =0.0.3, =0.0.31 Source cves: CVE-2026-25044 Source advisory: OSV:GHSA-GJW9-34GF-RP6M...

@budibase/cli (>=3.0.0 <=3.2.26), @budibase/pro (>=3.0.0 <=3.2.26) +2 more potentially affected by CVE-2026-31818 via @budibase/backend-core (>=3.0.0 <=3.2.7)

@budibase/backend-core NPM version =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.2.26 Source cves: CVE-2026-31818 Source advisory: SNYK:JS-BUDIBASEBACKENDCORE-15917492...

@budibase/cli (>=0.0.1 <=3.2.26), @budibase/pro (>=0.0.1 <=3.2.26) +4 more potentially affected by CVE-2026-31818 via @budibase/backend-core (>=0.0.1 <=3.2.7)

@budibase/backend-core NPM version =0.0.1, =0.0.1, =0.0.1, =0.0.999-alpha.30, =0.0.1, =3.2.26 - @devlego/server =1.1.29-alpha.1 - @devlego/worker =1.1.29-alpha.1 Source cves: CVE-2026-31818 Source advisory: OSV:GHSA-7R9J-R86Q-7G45...

Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview

Summary The REST datasource query preview endpoint POST /api/queries/preview makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet — including cloud metadata...