{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31816", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T16:33:42.914Z", "datePublished": "2026-03-09T20:55:52.765Z", "dateUpdated": "2026-03-10T15:20:48.703Z"}, "containers": {"cna": {"title": "Budibase Universal Auth Bypass via Webhook Query Param Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "<= 3.31.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T20:55:52.765Z"}, "descriptions": [{"lang": "en", "value": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL."}], "source": {"advisory": "GHSA-gw94-hprh-4wj8", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:20:38.849996Z", "id": "CVE-2026-31816", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:20:48.703Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31816", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T15:20:38.849996Z"}}}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:19:36.045Z"}}], "cna": {"title": "Budibase Universal Auth Bypass via Webhook Query Param Injection", "source": {"advisory": "GHSA-gw94-hprh-4wj8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"status": "affected", "version": "<= 3.31.4"}]}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8", "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T20:55:52.765Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31816", "state": "PUBLISHED", "dateUpdated": "2026-03-10T15:20:48.703Z", "dateReserved": "2026-03-09T16:33:42.914Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T20:55:52.765Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL."}, {"lang": "es", "value": "Budibase es una plataforma de bajo c\u00f3digo para crear herramientas internas, flujos de trabajo y paneles de administraci\u00f3n. En la versi\u00f3n 3.31.4 y anteriores, el middleware authorized() del servidor de Budibase que protege cada endpoint de API del lado del servidor puede ser completamente eludido al a\u00f1adir un patr\u00f3n de ruta de webhook a la cadena de consulta de cualquier solicitud. La funci\u00f3n isWebhookEndpoint() utiliza una expresi\u00f3n regular no anclada que se prueba contra ctx.request.url, que en Koa incluye la URL completa con par\u00e1metros de consulta. Cuando la expresi\u00f3n regular coincide, el middleware authorized() llama inmediatamente a return next(), omitiendo toda autenticaci\u00f3n, autorizaci\u00f3n, comprobaciones de rol y protecci\u00f3n CSRF. Esto significa que un atacante remoto y completamente no autenticado puede acceder a cualquier endpoint de API del lado del servidor simplemente a\u00f1adiendo ?/webhooks/trigger (o cualquier variante de patr\u00f3n de webhook) a la URL."}], "id": "CVE-2026-31816", "lastModified": "2026-03-11T13:53:47.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-09T21:16:20.733", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.31.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "budibase", "source": "cna", "vendor": "Budibase"}, "product": "budibase", "vendor": "budibase"}], "created": "2026-03-10T14:07:04.491856+00:00", "updated": "2026-03-10T14:07:04.491954+00:00", "vendors": ["budibase", "budibase$PRODUCT$budibase"]}