CVE-2026-50132: Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF
| Dimension | Detail |
|---|---|
| Confidentiality | High — attacker reads all table rows, files, and knowledge base data accessible to victim |
| Integrity | High — attacker writes rows and triggers automations (email, external API calls, record creation) as victim |
| Availability | None |
| Auth required | Low — attacker only needs a Slack/Discord account in the same workspace as the Budibase bot |
| User interaction | Required — victim clicks one link (trivial social engineering in any enterprise Slack) |
| Scope | Unchanged — impact is within the victim’s Budibase tenant |
| Persistence | Permanent — the link document persists in CouchDB until explicitly deleted; re-exploitation survives token rotation |
References
Code Behaviors & Features
Detect and mitigate CVE-2026-50132 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →