CVE-2026-48151 HIGH

CVE-2026-48151: Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema

Vendor Budibase
Product budibase
Weakness CWE-862 · Missing authorization
Published May 27, 2026
Last update May 28, 2026
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This vulnerability is fixed in 3.39.0.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-46148 WordPress Themify Ultra theme <= 7.3.5 - Authenticated Arbitrary Settings Change vulnerability CVE-2025-14342 SEO Plugin by Squirrly SEO <= 12.4.14 - Missing Authorization to Authenticated (Subscriber+) Cloud Service Disconnection CVE-2023-5411 Funnelforms Free <= 3.4 - Missing Authorization to Post Modification CVE-2022-23945 Apache ShenYu missing authentication allows gateway registration CVE-2023-40678 WordPress Simple URLs plugin <= 117 - Broken Access Control vulnerability