PatchSiren cyber security CVE debrief
CVE-2026-46426 Budibase CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in Budibase, an open-source low-code platform, affecting versions prior to 3.38.2. The file upload endpoint POST /api/attachments/process fails to enforce active-content restrictions for authenticated builder users. Dangerous file extension checks are conditionally bypassed when the user is not a public user or when the environment is self-hosted. This allows authenticated builders to upload executable web content—including SVG files with inline script tags, HTML pages with JavaScript, and JavaScript modules—which are stored in object storage (MinIO/S3) with their correct MIME types. When any application user accesses the resulting signed URL, the browser executes the embedded payload, resulting in persistent stored XSS affecting all application end users. The vulnerability was published on 2026-05-27 and carries a CVSS 3.1 score of 7.6 (HIGH).
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running self-hosted Budibase instances with multiple builder users; security teams responsible for low-code/no-code platform governance; application owners relying on Budibase for internal or customer-facing applications where end-user data exposure through XSS would have significant impact.
Technical summary
The vulnerability stems from conditional logic in the file upload endpoint that only applies dangerous file extension checks for public users or non-self-hosted environments. Authenticated builders in self-hosted deployments can bypass these restrictions entirely. Uploaded files retain their executable MIME types in object storage, and signed URLs serve these files without additional content sanitization or security headers. The attack requires authenticated builder access to upload malicious files, but exploitation affects all application users who subsequently access the generated URLs. The fix in version 3.38.2 enforces active-content restrictions universally regardless of user type or hosting configuration.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Budibase to version 3.38.2 or later to remediate this vulnerability.
- Review and audit file upload configurations to ensure active-content restrictions are enforced for all user types, including authenticated builders in self-hosted environments.
- Implement additional content security policies (CSP) to mitigate execution of uploaded scripts if bypasses occur.
- Audit existing uploaded files in object storage for potentially malicious content uploaded prior to patching.
- Monitor application access logs for unusual patterns of file access or execution that may indicate exploitation attempts.
Evidence notes
Vulnerability description and fix version confirmed via GitHub Security Advisory GHSA-82rc-gxrg-v4gf and Budibase release 3.38.2. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N sourced from NVD record. CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-434 (Unrestricted Upload of File with Dangerous Type) identified as associated weaknesses.
Official resources
2026-05-27