Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher...

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Description

Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4.

AI Analysis

Authentication bypass vulnerability via unanchored regex in public endpoint matcher, allowing unauthenticated access to protected endpoints

Basic Information

ID CVE-2026-41428

Source GitHub_M

Published Apr 24, 2026 at 19:17

Modified Apr 24, 2026 at 20:00

Affected Product

Vendor Budibase

Product budibase

Version < 3.35.4

Affected Versions Budibase budibase < 3.35.4

CWE Classification

CWE-287

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Budibase

Product Budibase

Version < 3.35.4

References

github.com /Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf

{
    "lastseen": "",
    "description": "Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4.",
    "published": "2026-04-24T19:17:29.501Z",
    "modified": "2026-04-24T20:00:50.097Z",
    "type": "cve",
    "title": "Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher \u2014 Unauthenticated Access to Protected Endpoints",
    "source": "GitHub_M",
    "references": "https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf",
    "id": "CVE-2026-41428",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "Budibase budibase < 3.35.4",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "budibase",
    "version": "< 3.35.4",
    "vendor": "Budibase",
    "ai_description": "Authentication bypass vulnerability via unanchored regex in public endpoint matcher, allowing unauthenticated access to protected endpoints",
    "ai_severity": "Critical",
    "ai_vendor": "Budibase",
    "ai_product": "Budibase",
    "ai_version": "< 3.35.4",
    "ai_score": 9.1
}

Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints_CVE-2026-41428