PatchSiren cyber security CVE debrief
CVE-2026-54351 Budibase CVE debrief
CVE-2026-54351 is a high-severity vulnerability in Budibase, an open-source low-code platform. The issue arises from the webhook trigger endpoint being publicly accessible and passing the full HTTP request body into automation execution parameters. This allows attackers to exploit a mass assignment vulnerability in externalTrigger() by including the internal appId property in the webhook POST body. Consequently, an attacker can execute arbitrary automation in the context of a victim's workspace, effectively granting full read/write access to the victim's database. This vulnerability has been fixed in Budibase version 3.39.9. Users are advised to update to this version to mitigate the risk.
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-26
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-26
- Advisory updated
- 2026-06-29
Who should care
Budibase users and administrators should be aware of this vulnerability, especially those who have not updated to version 3.39.9. Given the high severity of this vulnerability (CVSS score of 8.2), immediate attention is required to prevent potential exploitation. Security teams responsible for low-code platforms and environments where Budibase is deployed should prioritize patching and monitoring for potential attacks.
Technical summary
The CVE-2026-54351 vulnerability in Budibase arises from the externalTrigger() function's susceptibility to mass assignment attacks. By including the internal appId property in the webhook POST body, an attacker can overwrite this property. When the automation is processed asynchronously (the default for webhooks without a collect step), the attacker-defined automation is executed in the context of the victim's workspace. This grants the attacker full read/write access to the victim's database. The vulnerability is characterized by the following: - Publicly accessible webhook trigger endpoint. - Passing of full HTTP request body into automation execution parameters. - Mass assignment vulnerability in externalTrigger(). - Execution of attacker-defined automation in the victim's workspace context. - Full read/write access granted to the victim's database.
Defensive priority
High priority should be given to patching Budibase installations to version 3.39.9 or later. Immediate action is required due to the high CVSS score of 8.2 and the potential for attackers to exploit this vulnerability to gain unauthorized access to databases.
Recommended defensive actions
- Update Budibase to version 3.39.9 or later.
- Review and restrict access to webhook trigger endpoints.
- Implement additional monitoring for suspicious automation executions.
- Conduct a thorough review of existing automations for potential vulnerabilities.
- Enhance security measures for low-code platforms in the environment.
Evidence notes
The CVE-2026-54351 vulnerability details were obtained from the Budibase security advisory and CVE/NVD records. The vulnerability allows for mass assignment through the externalTrigger() function, enabling attackers to execute arbitrary automation in a victim's workspace. Evidence from the Budibase advisory indicates that the issue is resolved in version 3.39.9. However, specific details about the exploitation and affected scope are limited in the provided source corpus.
Official resources
-
CVE-2026-54351 CVE record
CVE.org
-
CVE-2026-54351 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.