CVE-2026-50137

HIGH SEVERITY

Vulnerability Description

Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials

Vulnerability Details

Published Date

June 22, 2026

Last Modified

June 22, 2026

Source

GitHub

Vendor

npm

Product

@budibase/server

External References

https://github.com/Budibase/budibase/security/advisories/GHSA-35c4-rvc8-frhm
https://github.com/advisories/GHSA-35c4-rvc8-frhm

CVE-2026-50137

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment