CVE-2026-54351

Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger() allows an attacker to overwrite the internal appId property by including it in the webhook POST body. When the automation is processed asynchronously (the default path for webhooks without a collect step), the worker executes the attacker-defined automation in the context of the victim's workspace, granting full read/write access to the victim's database. This vulnerability is fixed in 3.39.9.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p	Exploit Mitigation Vendor Advisory
https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

History

30 Jun 2026, 19:52

Type	Values Removed	Values Added
References	~~() https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p -~~	() https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p - Exploit, Mitigation, Vendor Advisory
CPE		cpe:2.3:a:budibase:budibase::::::::
First Time		Budibase budibase Budibase

29 Jun 2026, 16:16

Type	Values Removed	Values Added
References	~~() https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p -~~	() https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p -

26 Jun 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-26 21:16

Updated : 2026-06-30 19:52

NVD link : CVE-2026-54351

Mitre link : CVE-2026-54351

CVE.ORG link : CVE-2026-54351

JSON object : View

Products Affected

budibase

budibase

CWE

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

{"id": "CVE-2026-54351", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-54351", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-06-29T15:02:38.654892Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 3.1}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "Budibase", "product": "budibase", "versions": [{"status": "affected", "version": "< 3.39.9"}]}]}], "published": "2026-06-26T21:16:35.170", "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-915"}]}], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger() allows an attacker to overwrite the internal appId property by including it in the webhook POST body. When the automation is processed asynchronously (the default path for webhooks without a collect step), the worker executes the attacker-defined automation in the context of the victim's workspace, granting full read/write access to the victim's database. This vulnerability is fixed in 3.39.9."}], "lastModified": "2026-06-30T19:52:17.227", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37BF08E2-7EEE-4A61-A729-4B941DB885C5", "versionEndExcluding": "3.39.9"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}