CVE-2026-48151
Description
Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This vulnerability is fixed in 3.39.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated users can update the body schema of any known webhook in Budibase, potentially corrupting automation trigger output before fix 3.39.0.
Vulnerability
Budibase versions prior to 3.39.0 contain an authorization bypass in the webhook schema-building endpoint. The route POST /api/webhooks/schema/:instance/:id is registered under builderRoutes, but the generic authorization middleware treats all paths matching /api/webhooks/schema as unauthenticated webhook endpoints. Consequently, any unauthenticated caller who knows a valid webhook ID can send a request to update its bodySchema, thereby mutating the corresponding automation trigger output schema. The vulnerability affects all Budibase installations running an earlier release than 3.39.0 [1].
Exploitation
An attacker with network access to the Budibase server can call POST /api/webhooks/schema/:instance/:id without any authentication or prior privileges. The only requirement is knowledge of a valid webhook ID and its workspace instance. Because the authorization middleware explicitly skips authentication for paths matching the isWebhookEndpoint check (which includes schema), the request reaches the buildSchema controller, which writes the attacker-supplied schema data directly to the webhook document in the workspace database [1].
Impact
Successful exploitation allows the attacker to arbitrarily overwrite the body schema of a targeted webhook and corrupt the output schema of any automation trigger that uses that webhook. While the attacker does not gain full code execution or data read access, they can disrupt automation workflows, cause malformed data handling, or potentially influence downstream processing logic that depends on the schema. The integrity of automation trigger outputs is compromised [1].
Mitigation
The vulnerability is fixed in Budibase version 3.39.0. Users must upgrade to this release or later to receive the patched authorization logic. No workarounds are available for versions prior to 3.39.0, and the fix is not backported to earlier branches. The CVE is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1feab9955aeb5Bump version to 3.39.0
1 file changed · +1 −1
lerna.json+1 −1 modified@@ -1,6 +1,6 @@ { "$schema": "node_modules/lerna/schemas/lerna-schema.json", - "version": "3.38.5", + "version": "3.39.0", "npmClient": "yarn", "concurrency": 20, "command": {
Vulnerability mechanics
Root cause
"Authorization bypass: the middleware skips authentication for all paths matching `/api/webhooks/schema` because the webhook endpoint regex includes "schema", even though the endpoint is registered under builder-only routes."
Attack vector
An unauthenticated attacker sends a POST request to `/api/webhooks/schema/<workspaceId>/<webhookId>` with a JSON body containing arbitrary schema properties [ref_id=1]. The authorization middleware detects the path matches the webhook endpoint regex (`/api/webhooks/(trigger|schema|...)`) and skips all authentication checks, passing control to the `buildSchema` controller [ref_id=1]. The controller writes the attacker's payload into `webhook.bodySchema` and, for automation-backed webhooks, resets and overwrites the automation trigger's output schema properties [ref_id=1]. No authentication or prior knowledge beyond a valid workspace ID and webhook ID is required [ref_id=1].
Affected code
The vulnerable endpoint is `POST /api/webhooks/schema/:instance/:id` registered in `packages/server/src/api/routes/webhook.ts` under `builderRoutes` [ref_id=1]. The authorization middleware in `packages/server/src/middleware/authorized.ts` bypasses all webhook endpoints (including schema) before checking authentication [ref_id=1]. The controller `buildSchema` in `packages/server/src/api/controllers/webhook.ts` writes attacker-supplied schema data directly to the webhook and automation trigger outputs [ref_id=1].
What the fix does
The patch only bumps the version number from 3.38.5 to 3.39.0 in `lerna.json` [patch_id=2725523]; no code-level diff is included in the patch. The advisory states the fix is in version 3.39.0 and implies the authorization middleware or route registration was corrected to require authentication for the schema endpoint [ref_id=1]. Without the actual code diff, the precise remediation—whether the schema endpoint was removed from the webhook bypass regex or moved out of `builderRoutes`—cannot be determined from the supplied bundle.
Preconditions
- inputAttacker must know a valid workspace ID and webhook ID
- authNo authentication or session required
- networkNetwork access to the Budibase server API
Reproduction
Create a webhook-backed automation as a builder and record the workspace ID and webhook ID. Log out or send no auth headers. Send `POST /api/webhooks/schema/<workspaceId>/<webhookId>` with `Content-Type: application/json` and body `{"unauth_schema_probe":"test"}`. Fetch the webhook as a builder and observe that `bodySchema` has changed; for automation-backed webhooks, inspect the automation trigger schema outputs and observe that properties were reset/updated [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.