CVE-2026-50136: Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials

June 22, 2026

The application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values.

References

github.com/Budibase/budibase/commit/d9dbb7f6105373cc88ecacdbcab70c776f7dd6a1
github.com/Budibase/budibase/pull/18774
github.com/Budibase/budibase/security/advisories/GHSA-jj36-r9w3-3pfh
github.com/advisories/GHSA-jj36-r9w3-3pfh
nvd.nist.gov/vuln/detail/CVE-2026-50136

Code Behaviors & Features

Detect and mitigate CVE-2026-50136 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →