CVE-2026-48147

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.35.4

Description The buildMatcherRegex() and matches() functions in packages/backend-core/src/middleware/matchers.ts compile route patterns into unanchored regular expressions and test them against ctx.request.url, which includes the full query string. The CSRF middleware uses this system to determine if CSRF token validation should be skipped. An unauthenticated attacker can bypass CSRF token validation for any Worker API endpoint by injecting a public route pattern into the query string. This allows the execution of state-changing cross-origin requests, such as modifying global configuration, managing users, and sending admin invites.

Recommendations Update to version 3.35.4.