CVE-2026-50132
HighCVSS 7.3Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
A vulnerability in Budibase before 3.39.0 allows an attacker to permanently link a victim's account to an external chat identity (Slack/Discord/MS Teams) without user consent. The public endpoint lacks authentication and CSRF protection, and the attack requires tricking an authenticated user into visiting a crafted URL.
Risk Assessment
An attacker can hijack the victim's communication channels, impersonating them in external systems, leading to data confidentiality and integrity breaches.
Recommendation
Immediately update Budibase to version 3.39.0 or later. Until then, restrict access to the /api/chat-links/:instance/:token/handoff endpoint for untrusted users.
Original NVD description (English source)
Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (Slack/Discord/MS Teams) to an authenticated Budibase user account, with no consent UI and no CSRF protection. The session token in the URL is created by the attacker (from their own /link slash command) and embeds the attacker's externalUserId. When an authenticated Budibase victim visits the URL, their account is silently and permanently linked to the attacker's Slack/Discord identity. The server responds with "Authentication succeeded." — no indication of what was linked. This vulnerability is fixed in 3.39.0.

