CVE-2026-41428
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher โ Unauthenticated Access to Protected Endpoints
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4.
| CWE | CWE-287 |
| Vendor | budibase |
| Product | budibase |
| Published | Apr 24, 2026 |
| Last Updated | Apr 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for budibase budibase
Be the first to know when new critical vulnerabilities affecting budibase budibase are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
Affected Versions
Budibase / budibase
< 3.35.4