PatchSiren cyber security CVE debrief
CVE-2026-42239 Budibase CVE debrief
CVE-2026-42239 is a high-severity vulnerability in Budibase, an open-source low-code platform. The issue arises from the insecure setting of the `budibase:auth` cookie, which contains the JWT session token. Specifically, the cookie is set with `httpOnly: false`, allowing JavaScript to access it via `document.cookie`. This makes every cross-site scripting (XSS) vulnerability a full account takeover, as an attacker can steal the JWT and gain persistent access to the victim's account. Additionally, the cookie lacks the `secure: true` attribute, meaning it is sent over plaintext HTTP, and the `sameSite` attribute, further increasing the risk. This vulnerability has been patched in version 3.35.10 of Budibase.
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-07
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-05-07
- Advisory updated
- 2026-06-04
Who should care
Developers and administrators using Budibase versions prior to 3.35.10 should be aware of this vulnerability and take immediate action to update their installations. Security teams monitoring for XSS vulnerabilities in low-code platforms should also be aware of this issue.
Technical summary
The `budibase:auth` cookie is set with insecure attributes, specifically `httpOnly: false`, allowing JavaScript access via `document.cookie`. The cookie also lacks `secure: true` and `sameSite` attributes. This vulnerability enables full account takeover via XSS attacks.
Defensive priority
High
Recommended defensive actions
- Update Budibase to version 3.35.10 or later.
- Review and adjust cookie settings for secure attributes.
- Implement additional security measures to prevent XSS attacks.
Evidence notes
CVE-2026-42239 has a CVSS score of 8.1 and is classified as HIGH severity. The vulnerability was published on 2026-05-07 and modified on 2026-06-04.
Official resources
-
CVE-2026-42239 CVE record
CVE.org
-
CVE-2026-42239 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory, Exploit, Mitigation
This CVE debrief is generated based on the provided source corpus and official links, following strict guidelines to ensure accuracy and relevance.