CVE-2026-50137 Budibase CVE debrief

Who should care

Budibase users and administrators should be aware of this vulnerability and take immediate action to patch their systems. This vulnerability can be exploited by an anonymous attacker, and it allows them to write to any bucket that the victim's IAM credentials can write to. Organizations using Budibase should prioritize patching to prevent potential attacks.

Technical summary

The vulnerability exists in the Budibase server route POST /api/attachments/:datasourceId/url. The endpoint is registered with only the recaptcha middleware and lacks authorized middleware, allowing an anonymous attacker to call this endpoint with no auth. The controller looks up the requested datasource, instantiates an AWS S3 client with the datasource's stored accessKeyId / secretAccessKey, and returns an AWS Signature V4 pre-signed PutObjectCommand URL for the caller-supplied bucket and key. The bucket is not pinned to the datasource's configured bucket.

Defensive priority

High priority should be given to patching this vulnerability, as it allows an anonymous attacker to write to any bucket that the victim's IAM credentials can write to. Organizations using Budibase should prioritize patching to prevent potential attacks.

Recommended defensive actions

• Patch Budibase to version 3.39.0 or later
• Review and update IAM credentials and bucket configurations
• Monitor for suspicious activity on Budibase instances
• Implement additional security measures, such as restricting access to Budibase instances
• Conduct a thorough review of Budibase instance configurations and security settings

Evidence notes

The CVE-2026-50137 vulnerability was reported by an unknown source. The vulnerability has a CVSS score of 8.2 and is classified as HIGH severity. The vulnerability was published on June 26, 2026, and modified on June 29, 2026.

Official resources