CVE-2026-31816: Authentication Bypass via Webhook Query Parameter Injection in Budibase
Vulnerability ID: CVE-2026-31816
CVSS Score: 9.1
Published: 2026-03-09
Budibase versions 3.31.4 and earlier contain a critical authentication bypass vulnerability due to improper URL parsing in the server's authorized middleware. Attackers can bypass all authentication, authorization, and CSRF checks by appending a webhook routing pattern to the query string of any API request.
TL;DR
An unanchored regular expression matching against full request URLs allows unauthenticated attackers to bypass Budibase middleware and access protected APIs by injecting webhook paths into query parameters.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-74
- CVSS Score: 9.1
- Attack Vector: Network
- EPSS Score: 0.10%
- Exploit Status: Proof of Concept Available
- Authentication Required: None
Affected Systems
- Budibase API Middleware
- Budibase Authorized Routing Engine
- Node.js Koa Router Implementation
-
Budibase: <= 3.31.4 (Fixed in:
3.31.5)
Mitigation Strategies
- Upgrade Budibase to version 3.31.5 or later
- Deploy Web Application Firewall (WAF) rules to block requests containing '/webhooks/trigger' in query strings
- Monitor access logs for 200 OK responses on sensitive endpoints associated with the injected webhook string
Remediation Steps:
- Identify the current version of the Budibase deployment.
- Pull the updated Docker image for version 3.31.5 or update the npm package.
- Redeploy the Budibase application and verify normal operations.
- Review historical HTTP access logs for indicators of exploitation.
References
- Budibase Security Advisory GHSA-gw94-hprh-4wj8
- NVD - CVE-2026-31816
- CVE Record - CVE-2026-31816
- Security Online - Critical Flaws in Budibase
Read the full report for CVE-2026-31816 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)