3 matches found
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override
Summary The webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger allows an attacker to overwrite the internal appId property by including it in the webhook POST...
PT-2026-51460
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.9 Description Budibase contains a mass assignment issue in the externalTrigger function. The webhook trigger endpoint /api/webhooks/trigger/:instance/:id is publicly accessible and passes the full HTTP request...
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step
Summary The executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-side...