CVE-2026-50136
HighCVSS 7.4Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
Budibase prior to 3.39.3 exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials from a workspace datasource. The route is protected only by recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access.
Risk Assessment
An attacker who knows a workspace ID and S3 datasource ID can generate a signed URL to upload files to a controlled S3 bucket, potentially leading to unauthorized data writes or information disclosure.
Recommendation
Immediately upgrade Budibase to version 3.39.3 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values. This vulnerability is fixed in 3.39.3.

