CVE-2026-50136 Budibase CVE debrief

Who should care

Budibase users and administrators should be aware of this vulnerability and take immediate action to update to version 3.39.3 or later. Additionally, users should review their workspace datasources and S3 configurations to ensure that sensitive credentials are not exposed. Security teams should also monitor for potential exploitation attempts.

Technical summary

CVE-2026-50136 is a vulnerability in Budibase's application server that exposes an unauthenticated endpoint for generating S3 PutObject presigned URLs. The endpoint uses credentials stored in a workspace datasource and is only protected by recaptcha middleware. An attacker with a workspace ID and S3 datasource ID can request a signed upload URL for arbitrary bucket and key values. This vulnerability has a CVSS score of 7.4 and is classified as HIGH severity. Budibase has released a patch in version 3.39.3.

Defensive priority

High priority should be given to updating Budibase to version 3.39.3 or later. Additionally, defenders should review and restrict access to workspace datasources and S3 configurations.

Recommended defensive actions

• Update Budibase to version 3.39.3 or later
• Review and restrict access to workspace datasources and S3 configurations
• Monitor for potential exploitation attempts
• Implement additional security measures such as IP whitelisting and rate limiting
• Conduct a thorough review of Budibase configurations and datasources

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and its severity. The source item URL provides additional context on the vulnerability and its impact. The reference URL from GitHub provides information on the fix and patch.

Official resources