CVE Catalog

CVE-2026-48151

High
Published: Translated: NVD NIST

Summary

Budibase is an open-source low-code platform. Prior to version 3.39.0, the webhook schema-building endpoint did not require authorization, allowing unauthenticated users to update the body schema for a known webhook.

Risk Assessment

Unauthorized access to the webhook schema may lead to unintended changes in automation, jeopardizing the integrity of the organization's business processes.

Recommendation

It is recommended to upgrade to version 3.39.0 or later to secure the endpoint against unauthorized access.

Original NVD description (English source)

Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This vulnerability is fixed in 3.39.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS