CVE-2026-50132 Budibase: Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation in Budibase

Budibase is an open-source low-code platform. Prior to 3.39.0, GET /api/chat-links/:instance/:token/handoff is a public endpoint no auth required that performs a permanent, state-changing operation: it binds an external chat identity Slack/Discord/MS Teams to an authenticated Budibase user accoun...