SCA: security update for @budibase/server (GHSA-35c4-rvc8-frhm)

high Tenable Self-Hosted Container Security Plugin ID 443781

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can
enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can call this endpoint with no
auth and obtain a 15-minute pre-signed PUT URL minted on the victim's IAM identity. The endpoint also
returns the publicUrl so the attacker knows exactly where their PUT lands. Because bucket is attacker-
controlled, the attacker can write to any bucket those IAM credentials can write to, not only the bucket
the datasource was configured for. The Budibase server route POST /api/attachments/:datasourceId/url
(packages/server/src/api/routes/static.ts) is registered with only the recaptcha middleware. There is no
authorized(...) middleware in the chain. The controller
(packages/server/src/api/controllers/static/index.ts::getSignedUploadURL) looks the requested datasource
up, instantiates an AWS S3 client with the datasource's stored accessKeyId / secretAccessKey, and returns
an AWS Signature V4 pre-signed PutObjectCommand URL for the caller-supplied bucket and key. The bucket is
not pinned to the datasource's configured bucket. The workspace context required by sdk.datasources.get is
sourced by getWorkspaceIdFromCtx (packages/backend-core/src/utils/utils.ts) from any of: the x-budibase-
app-id header, the JSON body appId, a path segment that begins with the workspace prefix, or ?appId=.
auth.buildAuthMiddleware([], { publicAllowed: true }) runs before any of this and explicitly allows
anonymous requests. The currentWorkspace middleware's "deny access to dev preview" branch only triggers
under isBrowser(ctx) && !isApiKey(ctx); isBrowser checks the parsed User-Agent for a recognised browser,
so any non-browser client (curl, the supplied PoC, any tool not setting a browser UA) is neither and
reaches dev workspaces too. This vulnerability is fixed in 3.39.0. (CVE-2026-50137)

Solution

Update the @budibase/server library and its related packages to version 3.39.0 or later.

See Also

https://github.com/advisories/GHSA-35c4-rvc8-frhm

Plugin Details

Severity: High

ID: 443781

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 6/23/2026

Updated: 7/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.97

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9.7

Temporal Score: 7.6

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:P

CVSS Score Source: CVE-2026-50137

CVSS v3

Risk Factor: Critical

Base Score: 9.4

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 6.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/22/2026

Vulnerability Publication Date: 6/22/2026

Reference Information

CVE: CVE-2026-50137

cwe: CWE-862