{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T23:35:37.789","vulnerabilities":[{"cve":{"id":"CVE-2026-31816","sourceIdentifier":"security-advisories@github.com","published":"2026-03-09T21:16:20.733","lastModified":"2026-03-13T17:33:41.703","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL."},{"lang":"es","value":"Budibase es una plataforma de bajo código para crear herramientas internas, flujos de trabajo y paneles de administración. En la versión 3.31.4 y anteriores, el middleware authorized() del servidor de Budibase que protege cada endpoint de API del lado del servidor puede ser completamente eludido al añadir un patrón de ruta de webhook a la cadena de consulta de cualquier solicitud. La función isWebhookEndpoint() utiliza una expresión regular no anclada que se prueba contra ctx.request.url, que en Koa incluye la URL completa con parámetros de consulta. Cuando la expresión regular coincide, el middleware authorized() llama inmediatamente a return next(), omitiendo toda autenticación, autorización, comprobaciones de rol y protección CSRF. Esto significa que un atacante remoto y completamente no autenticado puede acceder a cualquier endpoint de API del lado del servidor simplemente añadiendo ?/webhooks/trigger (o cualquier variante de patrón de webhook) a la URL."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-74"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*","versionEndIncluding":"3.31.4","matchCriteriaId":"2D6D88E6-A107-4300-B0E5-C2717900C2A1"}]}]}],"references":[{"url":"https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}}]}