{“lastseen”:””,”description”:”Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_…) and an S3-source datasource id (ds_…) can call this endpoint with no auth and obtain a 15-minute pre-signed PUT URL minted on the victim’s IAM identity. The endpoint also returns the publicUrl so the attacker knows exactly where their PUT lands. Because bucket is attacker-controlled, the attacker can write to any bucket those IAM credentials can write to, not only the bucket the datasource was configured for. The Budibase server route POST \/api\/attachments\/:datasourceId\/url (packages\/server\/src\/api\/routes\/static.ts) is registered with only the recaptcha middleware. There is no authorized(…) middleware in the chain. The controller (packages\/server\/src\/api\/controllers\/static\/index.ts::getSignedUploadURL) looks the requested datasource up, instantiates an AWS S3 client with the datasource’s stored accessKeyId \/ secretAccessKey, and returns an AWS Signature V4 pre-signed PutObjectCommand URL for the caller-supplied bucket and key. The bucket is not pinned to the datasource’s configured bucket. The workspace context required by sdk.datasources.get is sourced by getWorkspaceIdFromCtx (packages\/backend-core\/src\/utils\/utils.ts) from any of: the x-budibase-app-id header, the JSON body appId, a path segment that begins with the workspace prefix, or ?appId=. auth.buildAuthMiddleware([], { publicAllowed: true }) runs before any of this and explicitly allows anonymous requests. The currentWorkspace middleware’s \\”deny access to dev preview\\” branch only triggers under isBrowser(ctx) \\u0026\\u0026 !isApiKey(ctx); isBrowser checks the parsed User-Agent for a recognised browser, so any non-browser client (curl, the supplied PoC, any tool not setting a browser UA) is neither and reaches dev workspaces too. This vulnerability is fixed in 3.39.0.”,”published”:”2026-06-26T20:41:03.443Z”,”modified”:”2026-06-26T20:41:03.443Z”,”type”:”cve”,”title”:”Budibase: POST \/api\/attachments\/:datasourceId\/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/Budibase\/budibase\/security\/advisories\/GHSA-35c4-rvc8-frhm”,”id”:”CVE-2026-50137″,”bulletinFamily”:””,”cwe”:[“CWE-862″],”cvelist”:null,”sourceData”:”Budibase budibase \\u003c 3.39.0″,”sourceHref”:””,”cvss”:{“score”:8.2,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:H\/AT:N\/PR:N\/UI:N\/VC:N\/VI:H\/VA:N\/SC:N\/SI:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”budibase”,”version”:”\\u003c 3.39.0″,”vendor”:”Budibase”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_…) and an S3-source datasource…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,77,12,15,13,7,11,5],"class_list":["post-66328","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-82","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n