CVE-2026-31816

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.31.5

Description Budibase is a low code platform used for creating internal tools, workflows, and admin panels. A flaw exists in the server's authorized() middleware, which is designed to protect server-side API endpoints. By appending a webhook path pattern to the query string of any request, an attacker can bypass this middleware. The isWebhookEndpoint() function utilizes an unanchored regular expression that evaluates the entire URL, including query parameters, via ctx.request.url. When a match occurs, the authorized() middleware immediately calls return next(), effectively skipping all authentication, authorization, role checks, and CSRF protection. This allows a remote, unauthenticated attacker to access any server-side API endpoint. The vulnerable component is the authorized() middleware and the isWebhookEndpoint() function. API endpoints are susceptible to this bypass. The vulnerable parameter is the query string.

Recommendations Versions prior to 3.31.5 are affected. Upgrade to version 3.31.5 or later to resolve this issue.