CVE-2026-42239

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.35.10

Description The budibase:auth cookie, which contains the JWT session token, is configured with httpOnly: false in the packages/backend-core/src/utils/utils.ts file. This allows JavaScript to access the cookie via document.cookie, enabling an attacker to steal the JWT and achieve full account takeover if a Cross-Site Scripting (XSS) flaw is present. Additionally, the cookie lacks the secure: true flag, meaning it can be sent over plaintext HTTP, and it lacks the sameSite attribute, making it susceptible to cross-site request attachment.

Recommendations Update to version 3.35.10.