CVE-2026-48151

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.0

Description An issue exists in the open-source low-code platform where the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware fails to enforce authorization for all paths matching the "/api/webhooks/schema" endpoint. This allows an unauthenticated caller to update the body schema for a known webhook and mutate the corresponding automation trigger output schema.

Recommendations Update to version 3.39.0.