CVE-2026-48151 Budibase CVE debrief

Who should care

Organizations running Budibase instances with exposed builder routes, particularly those relying on webhook-triggered automations for business-critical workflows. Security teams responsible for low-code/no-code platform governance and developers building automation pipelines on Budibase infrastructure.

Technical summary

The Budibase low-code platform's webhook schema-building endpoint (`/api/webhooks/schema`) suffers from a missing authorization vulnerability. The endpoint is registered under `builderRoutes`, which typically requires authentication, but the generic authorization middleware contains a path-based bypass that skips authorization checks for all routes matching `/api/webhooks/schema`. This allows unauthenticated remote attackers to submit HTTP requests that modify webhook body schemas, which in turn mutates the corresponding automation trigger output schemas. The vulnerability enables integrity attacks against automation workflows without requiring any credentials. The fix in version 3.39.0 ensures proper authorization enforcement on this endpoint.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Budibase to version 3.39.0 or later to obtain the authorization fix
• Review webhook configurations for unauthorized modifications if running versions prior to 3.39.0
• Audit automation trigger output schemas for unexpected changes that may indicate exploitation
• Implement network segmentation to limit exposure of Budibase builder routes to authorized administrative hosts only
• Monitor access logs for unauthenticated requests to `/api/webhooks/schema` endpoints

Evidence notes

CVE description confirms the authorization bypass mechanism and affected endpoint path. CVSS vector and score from NVD source item metadata. Fix version 3.39.0 stated in CVE description. CWE-862 classification from source item weaknesses array. GitHub Security Advisory referenced as primary source.

Official resources