CVE-2026-50137

Budibase prior to 3.39.0 allows an anonymous attacker to call POST /api/attachments/:datasourceId/url with a known workspace id (app_…) and S3 datasource id (ds_…) and receive a 15‑minute pre‑signed PUT URL minted on the victim’s IAM credentials. The endpoint returns both the signed URL and the p...