Security: Budibase/budibase
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Potential SSRF DNS rebinding bypass in outbound fetch validationGHSA-gfq7-5x4g-3xhf published
Jun 4, 2026 by mjashanksHigh -
Arbitrary file read by workspace-builder via PWA-zip symlink uploadGHSA-w7mq-r738-x278 published
Jun 4, 2026 by mjashanksCritical -
Anonymous NoSQL operator injection via published-app query templatesGHSA-8qv3-p479-cj62 published
Jun 11, 2026 by mjashanksCritical -
Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentialsGHSA-35c4-rvc8-frhm published
May 28, 2026 by mjashanksHigh -
Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schemaGHSA-qhv3-wjg8-6fx6 published
May 21, 2026 by mjashanksHigh -
Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentialsGHSA-jj36-r9w3-3pfh published
May 28, 2026 by mjashanksHigh -
Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation in BudibaseGHSA-v7j5-vc4m-723w published
May 28, 2026 by mjashanksHigh -
Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URLGHSA-3gp5-q4jw-3v94 published
May 21, 2026 by mjashanksHigh -
Stored XSS in Text component: BASIC users execute JS in admin session via MarkdownViewer innerHTML + CDN+srcdoc CSP bypassGHSA-57p7-9h9w-xqpw published
May 21, 2026 by mjashanksHigh -
SCIM endpoints lack role-based authorization, BASIC users CRUD tenant usersGHSA-q9rw-q89f-jx2f published
May 14, 2026 by mjashanksCritical