PatchSiren cyber security CVE debrief
CVE-2026-48147 Budibase CVE debrief
A cross-site request forgery (CSRF) bypass vulnerability exists in Budibase prior to version 3.35.4. The root cause is improper regular expression anchoring in the route matching logic used by CSRF middleware. The `buildMatcherRegex()` and `matches()` functions in `packages/backend-core/src/middleware/matchers.ts` compile route patterns into unanchored regular expressions and match them against `ctx.request.url`, which includes the full query string. An unauthenticated attacker can inject a public route pattern into the query string of a state-changing request, causing the CSRF middleware to incorrectly skip token validation. This allows forged cross-origin requests to execute sensitive Worker API operations—including sending admin invitations, modifying global configuration, and managing users—without a valid CSRF token. The vulnerability was disclosed on 2026-05-27 and is fixed in Budibase 3.35.4.
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Budibase versions prior to 3.35.4, particularly those exposing Worker API endpoints to untrusted networks or relying on CSRF protection for administrative functions. Security teams should prioritize patching due to the unauthenticated attack vector and high-impact administrative actions at risk.
Technical summary
The Budibase Worker CSRF middleware relies on `buildMatcherRegex()` and `matches()` functions that compile route patterns into unanchored regular expressions. These patterns are tested against `ctx.request.url`, which includes the query string. An attacker can append a public route pattern to the query string of a sensitive endpoint (e.g., `?/api/public/health`), causing the unanchored regex to match and the CSRF middleware to skip validation. This enables unauthenticated cross-origin requests to execute privileged operations. The fix in 3.35.4 likely involves anchoring the regular expressions or excluding query strings from pattern matching.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Budibase to version 3.35.4 or later to remediate the CSRF bypass vulnerability.
- Review custom route matchers for similar unanchored regular expression patterns that could enable security control bypass.
- Implement defense-in-depth by validating CSRF tokens on all state-changing endpoints regardless of route classification.
- Monitor access logs for anomalous query strings containing route-like patterns that may indicate exploitation attempts.
- Audit Worker API access logs for unauthorized administrative actions (user management, configuration changes, invite generation) occurring without corresponding CSRF token validation events.
Evidence notes
Vulnerability description confirms unanchored regex matching against full URL including query string; CSRF middleware bypass via query string injection; fixed in 3.35.4. CVSS 6.5 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. CWE-185 (Incorrect Regular Expression) and CWE-352 (Cross-Site Request Forgery) identified.
Official resources
-
CVE-2026-48147 CVE record
CVE.org
-
CVE-2026-48147 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27