How is CVE-2026-46426 exploited?

Network reachability (required): The attacker must reach the Budibase attachment endpoint over the network; the service must be exposed to the attacker's network. Authentication (required): A low-privilege authenticated account with builder access is sufficient; no admin credentials are needed. Victim interaction (required): A victim app user must open the signed URL to the malicious file, triggering execution in their browser. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or special memory layout are required to trigger the upload and subsequent XSS execution.

What is the impact of CVE-2026-46426?

The attacker stores a persistent malicious payload in the object store (MinIO or S3) that executes in the browser of every app user who opens the affected signed URL. Session tokens, cookies, and any data visible in the victim's browser session are exposed to the attacker. The attacker can make authenticated requests on behalf of victims, potentially reading or modifying application data within the scope of each victim's permissions.

Back to search

HIGHCVE-2026-46426Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-46426: Budibase: Unrestricted Upload of File with Dangerous Type

Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content — SVG files with inline <script> tags, HTML pages with JavaScript, .js modules — which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Unrestricted file upload in Budibase, the open-source low-code platform, allows any authenticated builder to upload active web content (SVG files with embedded scripts, HTML pages, JavaScript modules) through the attachment processing endpoint. The endpoint skips dangerous-extension checks for authenticated users, so the uploaded files are stored in object storage with their original MIME types and served back via signed URLs. When any app user opens such a URL, the browser executes the payload, resulting in persistent stored cross-site scripting (XSS) across all application end users. No fix version has been published yet; HarborGuard is tracking the upstream advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-46426 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Budibase images, in registries and CI pipelines.

Available

Triage

Triage is available using the CVSS v3.1 score of 7.6 (HIGH), weighted against each customer organization's compliance policy, with findings routed to the inbox or ticketing integration configured for that environment.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the fixed version the moment the upstream patch ships. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Budibase attachment endpoint over the network; the service must be exposed to the attacker's network.
AuthenticationRequired
A low-privilege authenticated account with builder access is sufficient; no admin credentials are needed.
Victim interactionRequired
A victim app user must open the signed URL to the malicious file, triggering execution in their browser.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special memory layout are required to trigger the upload and subsequent XSS execution.

Blast Radius

The attacker stores a persistent malicious payload in the object store (MinIO or S3) that executes in the browser of every app user who opens the affected signed URL.
Session tokens, cookies, and any data visible in the victim's browser session are exposed to the attacker.
The attacker can make authenticated requests on behalf of victims, potentially reading or modifying application data within the scope of each victim's permissions.

How HarborGuard Handles This

Available on HarborGuard: images running Budibase versions prior to 3.38.2 are flagged against this CVE across all connected registries and pipelines. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment version 3.38.2 or a successor is released upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically without manual intervention. In the interim, compensating controls worth considering include network-policy isolation that limits which user roles can reach the POST /api/attachments/process endpoint, restricting builder-role assignment to the minimum necessary accounts, and configuring object-storage bucket policies to strip or block serving of text/html and image/svg+xml MIME types for user-uploaded content.

See how HarborGuard automates this

CVSS v3.1: 7.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Budibase / budibase
< 3.38.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

References