{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41428", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T15:32:33.814Z", "datePublished": "2026-04-24T19:17:29.501Z", "dateUpdated": "2026-04-24T20:00:50.097Z"}, "containers": {"cna": {"title": "Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher \u2014 Unauthenticated Access to Protected Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "< 3.35.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:17:29.501Z"}, "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4."}], "source": {"advisory": "GHSA-8783-3wgf-jggf", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T20:00:28.868950Z", "id": "CVE-2026-41428", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T20:00:50.097Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41428", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T15:32:33.814Z", "datePublished": "2026-04-24T19:17:29.501Z", "dateUpdated": "2026-04-24T20:00:50.097Z"}, "containers": {"cna": {"title": "Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher \u2014 Unauthenticated Access to Protected Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "< 3.35.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:17:29.501Z"}, "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4."}], "source": {"advisory": "GHSA-8783-3wgf-jggf", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41428", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T20:00:28.868950Z"}}}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T20:00:46.947Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD625C44-6B30-4818-AD5A-9A5DFB303BE9", "versionEndExcluding": "3.35.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4."}], "id": "CVE-2026-41428", "lastModified": "2026-04-28T15:39:13.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T20:16:27.523", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,3.35.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "budibase", "source": "cna", "vendor": "Budibase"}, "product": "budibase", "vendor": "budibase"}], "analysis": {"en": {"generated_at": "2026-04-28T05:50:08.255072+00:00", "value": {"mitigation_remediation": ["Upgrade Budibase to version 3.35.4 or newer to apply the regex anchoring fix.", "If an upgrade cannot be performed immediately, block or sanitize requests that contain a question mark followed by a public endpoint pattern using reverse\u2011proxy rewrite rules or firewall filters.", "Review custom endpoint configurations and adjust the middleware to enforce anchored regex matching to ensure no remaining unauthenticated access paths."], "summary": {"action": "Immediate Patch", "impact": "Authentication By-pass"}, "threat_synthesis": {"affected_systems": "Affected environment is the Budibase open\u2011source low\u2011code platform, any deployment using a release older than 3.35.4. The vulnerable component is the authenticated middleware that performs pattern matching against ctx.request.url. Until version 3.35.4 this component mis\u2011interprets query strings, allowing the bypass. All Budibase installations relying on these releases are exposed.", "description_and_impact": "An attacker can bypass Budibase\u2019s authentication middleware by exploiting unanchored regular expressions that compare the request URL, including its query string, against publicly accessible paths. By appending a public endpoint string as a query parameter to a protected route, the regular expression matches and the request is allowed through, granting unauthenticated access to resources protected by the middleware. The flaw is an authentication bypass, corresponding to CWE\u2011287, and enables an attacker to read, alter, or delete data that should be restricted to authorized users.", "risk_and_exploitability": "The CVSS score is 9.1, indicating critical severity, while the EPSS score is less than 1\u202f%, suggesting low current exploitation probability but non\u2011zero risk. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely without authentication by crafting a URL that places a known public endpoint into the query string of a protected request. Because the middleware applies the same pattern matching, the request is treated as legitimate, exposing the protected endpoint entirely."}}}}, "created": "2026-04-27T20:15:12.105054+00:00", "updated": "2026-04-28T06:00:09.589480+00:00", "vendors": ["budibase", "budibase$PRODUCT$budibase"]}