External risk intelligence

Budibase low-code platform lets attackers bypass security to access data or disrupt services

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-41428

Budibase, a popular low-code platform, has a critical security flaw allowing anyone to bypass login and access sensitive data or disrupt services. Update immediately to protect your internal tools and applications.

4Halo Surface Signal

Authentication Bypass

Budibase

before 3.35.4

External exposure likelihood

Halo Surface Signal score for CVE-2026-41428

Budibase is a low-code platform designed to host web applications and internal tools. These deployments function as web-accessible portals and API endpoints, which are commonly exposed to the internet or wide organizational networks to facilitate remote access for users and data management.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This issue affects Budibase, an open-source low-code platform, where a flaw in how it checks for public access allows authenticated users to bypass security controls. By manipulating URLs, an attacker could access protected endpoints that should require login. This means sensitive data or system functions could be exposed without proper authorization.

  • Attackers can bypass authentication.
  • Access to protected endpoints is possible.
  • The low-code platform is the affected technology.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can bypass authentication on Budibase versions prior to 3.35.4 by crafting a request to a public endpoint that also includes a protected endpoint in its query string. This causes the application's middleware to incorrectly match the protected endpoint within the query string, granting unauthorized access.

  • Unauthenticated access to protected endpoints.
  • Append protected path as query parameter.
  • Exploitable via network requests.

Live Threat

Current exploitation, exposure, and threat context

Attackers will likely find this vulnerability appealing due to its ability to bypass authentication on sensitive endpoints without requiring any privileges or user interaction. The core issue lies in how the application handles URL matching, allowing a crafted query parameter to trick the authentication middleware. This type of flaw is attractive because it can grant immediate access to protected functionalities.

  • Exploitable via unauthenticated requests.
  • Exploitation is straightforward with a crafted URL.
  • Publicly disclosed with a fix available.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize updating Budibase to version 3.35.4 or later immediately, as this vulnerability allows unauthenticated attackers to bypass access controls and reach protected endpoints. If immediate patching is not feasible, implement network-level controls to block access to vulnerable endpoints, such as specific API paths known to be exploitable.

  • Update Budibase to 3.35.4.
  • Block direct access to public-facing APIs.
  • Monitor logs for suspicious requests.

Frequently asked questions

What is Budibase and what is its purpose?

Budibase is an open-source, low-code platform used for quickly building applications and internal tools without extensive coding. It facilitates the creation of custom business applications, data management, and workflow automation.

What type of vulnerability does CVE-2026-41428 describe?

CVE-2026-41428 is an authentication bypass vulnerability. It stems from the improper checking of public versus protected endpoints by the application's middleware, potentially allowing unauthorized access.

How can an attacker exploit the Budibase authentication bypass vulnerability?

An attacker can exploit this vulnerability by appending a protected endpoint path as a query parameter to a request targeting a public endpoint. This tricks the application's middleware, which uses unanchored regular expressions, into matching the protected endpoint within the query string and bypassing authentication.

What is the significance of CVE-2026-41428 for Budibase deployments?

This vulnerability allows unauthenticated attackers to bypass security controls and access protected endpoints on Budibase versions prior to 3.35.4. The Halo Surface Signal indicates a 'Likely' threat due to Budibase's common deployment as web-accessible portals and APIs.

What is the recommended remediation for CVE-2026-41428?

The primary recommendation is to update Budibase to version 3.35.4 or later immediately. If immediate patching is not possible, consider implementing network-level controls to block access to known exploitable API paths and monitor system logs for suspicious activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified