@budibase/server
npm19 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting @budibase/serverpage 1 of 1
- CVE-2026-25044HIGHCVSS 8.8EG 8.8✓ Fixed in 3.33.42026-04-03
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync whi…
- CVE-2026-35214HIGHCVSS 8.7EG 8.7✓ Fixed in 3.33.42026-04-03
Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. …
- CVE-2026-35216CRITICALCVSS 9.0EG 9.0✓ Fixed in 3.33.42026-04-03
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook …
- CVE-2026-45548HIGHCVSS 7.7EG 7.7✓ Fixed in 3.34.82026-05-15
Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly without the IP blacklist validation that is consistently applied…
- CVE-2026-45715HIGHCVSS 7.7EG 7.7✓ Fixed in 3.38.12026-05-15
Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to acc…
- CVE-2026-45717HIGHCVSS 8.8EG 8.8✓ Fixed in 3.38.12026-05-15
Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This…
- CVE-2026-45719MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.38.12026-05-18
Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validat…
- CVE-2026-48146HIGHCVSS 7.7EG 7.7✓ Fixed in 3.39.02026-05-27
Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() e…
- CVE-2026-48148MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.35.32026-05-27
Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authe…
- CVE-2026-48150CRITICALCVSS 9.0EG 9.0✓ Fixed in 3.39.02026-05-27
Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admit…
- CVE-2026-48151HIGHCVSS 7.5EG 7.5✓ Fixed in 3.39.02026-05-27
Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema…
- CVE-2026-48152HIGHCVSS 8.1EG 8.1✓ Fixed in 3.39.02026-05-27
Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic…
- CVE-2026-48153HIGHCVSS 8.5EG 8.5✓ Fixed in 3.39.02026-05-27
Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in th…
- CVE-2026-50132HIGHCVSS 7.3EG 7.3✓ Fixed in 3.39.02026-06-22
Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (…
- CVE-2026-50136MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.39.22026-06-22
Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected…
- CVE-2026-50137CRITICALCVSS 9.4EG 9.4✓ Fixed in 3.39.02026-06-22
Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can call this endpoint with no auth and obtain a 15-minute pre…
- CVE-2026-54350CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.39.122026-06-23
Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collect…
- CVE-2026-54351CRITICALCVSS 9.6EG 9.6✓ Fixed in 3.39.92026-06-22
Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in e…
- CVE-2026-54352CRITICALCVSS 9.6EG 9.6✓ Fixed in 3.39.92026-06-22
Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for e…
Check whether @budibase/server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @budibase/server CVEs against the assets you own.
Start Free Scan →