How is CVE-2026-48151 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the Budibase instance. Authentication (not-required): The authorization middleware skips all credential checks for the affected path, so no account or token of any kind is needed. Victim interaction (not-required): The attacker sends requests directly to the endpoint and no action by a logged-in user is required to trigger the vulnerability. Attack complexity (info): The exploit is reliable and condition-free; the attacker only needs to know or guess a webhook identifier to target.

What is the impact of CVE-2026-48151?

An attacker can overwrite the body schema of any webhook whose identifier is known or guessable, changing how incoming webhook payloads are parsed. Mutating the webhook schema propagates changes to the corresponding automation trigger output schema, corrupting the data passed into downstream automation steps. Automations that depend on the tampered schema may process malformed or attacker-controlled field mappings, potentially causing incorrect business logic execution. Integrity of the application configuration is damaged without leaving obvious access-log indicators, since the endpoint is treated as a public route by design.

Back to search

HIGHCVE-2026-48151Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-48151: Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema

Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This vulnerability is fixed in 3.39.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authorization bypass vulnerability in Budibase, an open-source low-code platform. The webhook schema-building endpoint incorrectly skips authentication checks for any request matching the path /api/webhooks/schema, making it reachable by anyone on the network without credentials. Successful exploitation lets an unauthenticated attacker overwrite the body schema of a known webhook and tamper with the corresponding automation trigger output schema, corrupting application logic and data pipelines. HarborGuard is tracking this advisory for patch availability, as no fixed image version has been published yet.

HarborGuard Coverage

Detection

Detection of CVE-2026-48151 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Budibase. Coverage applies to both registry scans and inline CI/CD pipeline scans.

Available

Triage

Triage is available using the CVSS v3.1 score of 7.5 (HIGH), with per-environment compliance policy weighting applied to prioritize routing. Each customer organization can have findings routed to the appropriate team inbox based on ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the Budibase instance.
AuthenticationNot required
The authorization middleware skips all credential checks for the affected path, so no account or token of any kind is needed.
Victim interactionNot required
The attacker sends requests directly to the endpoint and no action by a logged-in user is required to trigger the vulnerability.
Attack complexityDetail
The exploit is reliable and condition-free; the attacker only needs to know or guess a webhook identifier to target.

Blast Radius

An attacker can overwrite the body schema of any webhook whose identifier is known or guessable, changing how incoming webhook payloads are parsed.
Mutating the webhook schema propagates changes to the corresponding automation trigger output schema, corrupting the data passed into downstream automation steps.
Automations that depend on the tampered schema may process malformed or attacker-controlled field mappings, potentially causing incorrect business logic execution.
Integrity of the application configuration is damaged without leaving obvious access-log indicators, since the endpoint is treated as a public route by design.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-48151 is flagged on any image found to include an affected Budibase version (prior to 3.39.0), with the finding scored at HIGH (CVSS 7.5) and routed according to each environment's compliance policy. Because no upstream fix has been released yet, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment Budibase publishes a corrected release. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation that restricts external access to the Budibase API, egress filtering to limit lateral movement if the service is compromised, and review of exposed webhook identifiers to reduce the attack surface until a patch is available.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Budibase / budibase
< 3.39.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

https://github.com/Budibase/budibase/security/advisories/GHSA-qhv3-wjg8-6fx6