Threat Advisory

Budibase Vulnerability Exposes Authenticated Users Uploaded Content

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-46426 with a CVSS score of 7.6 is a high-severity vulnerability affecting the npm/budibase package, specifically impacting versions prior to 3.38.2. The vulnerability exists in the file upload endpoint, `POST /api/attachments/process`, which does not enforce active-content restrictions for authenticated users, allowing them to upload executable web content, such as SVG files with inline `<script>` tags, HTML pages with JavaScript, and `.js` modules. These files are then stored in the object store with their correct MIME types and can be executed when the resulting signed URL is opened by any app user, leading to persistent stored XSS over all application end users. An attacker can exploit this vulnerability by authenticating as a builder using an account with basic permissions, uploading an SVG file with an XSS payload, and then opening the resulting signed URL, which executes the payload in the browser, allowing for session cookie theft and full account takeover.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-46426 with a CVSS score of 7.6 is a high-severity vulnerability affecting the npm/budibase package, specifically impacting versions prior to 3.38.2. The vulnerability exists in the file upload endpoint, `POST /api/attachments/process`, which does not enforce active-content restrictions for authenticated users, allowing them to upload executable web content, such as SVG files with inline `<script>` tags, HTML pages with JavaScript, and `.js` modules. These files are then stored in the object store with their correct MIME types and can be executed when the resulting signed URL is opened by any app user, leading to persistent stored XSS over all application end users. An attacker can exploit this vulnerability by authenticating as a builder using an account with basic permissions, uploading an SVG file with an XSS payload, and then opening the resulting signed URL, which executes the payload in the browser, allowing for session cookie theft and full account takeover.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update npm/budibase to version 3.38.2.

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-82rc-gxrg-v4gf

[/emaillocker]
crossmenu