CVE-2026-48151
HighSummary
Budibase is an open-source low-code platform. Prior to version 3.39.0, the webhook schema-building endpoint did not require authorization, allowing unauthenticated users to update the body schema for a known webhook.
Risk Assessment
Unauthorized access to the webhook schema may lead to unintended changes in automation, jeopardizing the integrity of the organization's business processes.
Recommendation
It is recommended to upgrade to version 3.39.0 or later to secure the endpoint against unauthorized access.
Original NVD description (English source)
Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This vulnerability is fixed in 3.39.0.

