News 3 min read

CVE-2026-41428 Critical Vulnerability Hits Budibase

5 minutes Critical CVE-2026-41428 in Budibase allows authentication bypass through query-string matching Budibase versions before 3.35.4 are affected by an authentication bypass flaw tracked as CVE-2026-41428. Budibase is affected by CVE-2026-41428, a critical authentication bypass with a CVSS score of 9.1 that applies to versions prior to 3.35.4. The flaw lets an attacker reach protected […]

0 Comments
5 minutes

Critical CVE-2026-41428 in Budibase allows authentication bypass through query-string matching

Budibase versions before 3.35.4 are affected by an authentication bypass flaw tracked as CVE-2026-41428.

Budibase is affected by CVE-2026-41428, a critical authentication bypass with a CVSS score of 9.1 that applies to versions prior to 3.35.4. The flaw lets an attacker reach protected endpoints by placing a public path inside the query string of a request.

The issue was published by NVD on 2026-04-24 and traces to authenticated middleware that checks whether a route is public by running unanchored regular expressions against NVD data describing the request URL. Because Koa includes the query string in ctx.request.url, a request can be made to look public even when its real target is protected.

The published example shows the problem clearly: POST /api/global/users/search?x=/api/system/status bypasses authentication because the regex for /api/system/status/ matches inside the query portion of the URL. NVD lists the weakness as CWE-287, Improper Authentication, and marks Budibase versions up to but excluding 3.35.4 as vulnerable.

Unanchored regular expressions let a public path override a protected one

The core failure is the way the middleware decides whether a request should skip authentication. Instead of checking a normalized path, it evaluates the full request URL, so any public endpoint fragment appearing anywhere in that string can be treated as a match.

That behavior creates an authentication decision that depends on pattern placement rather than route identity. In practice, the attacker does not need to alter Budibase’s route structure, only the request text that reaches the matcher.

The vulnerability matters because authentication middleware sits in front of the application’s protected API surface. When that control fails, requests that should be blocked can move through to internal or administrative functionality without valid credentials.

The attack requires only network access and no valid account

The advisory data describes the attack as network-based, low complexity, and requiring no user interaction. It also assigns no privileges and no integrity impact, while confidentiality and availability are both rated high in the CVSS vector.

That combination means the exposure is broad wherever Budibase is reachable over HTTP or HTTPS. The source material also notes that no known exploit or public proof of concept has been confirmed, but the vulnerability remains critical because the bypass is straightforward and affects authentication itself.

Budibase 3.35.4 closes the issue

The fixed version is Budibase 3.35.4. The source material states that the vulnerability is addressed there, and that versions before 3.35.4 remain affected.

The most direct remediation is to move to the patched release and confirm that protected routes no longer rely on unanchored matching against the full request URL. The advisory also recommends restricting access to Budibase API endpoints and monitoring for suspicious query-string patterns if immediate upgrading is not possible.

Organizations are urged to patch immediately to mitigate risks of unauthorized access.

Possible steps

These steps can reduce exposure while remediation is underway:

  • Upgrade Budibase to version 3.35.4 or later.
  • Restrict network access to Budibase API endpoints where possible.
  • Review logs for unusual query strings that contain public endpoint paths.
  • Look for requests that target protected routes with appended path fragments.
  • Verify that authentication checks use normalized paths, not full URLs.
  • Prioritize remediation on any exposed Budibase instance handling sensitive data.

Šaltiniai: nvd.nist.gov, cve.org, appsecure.security, codeant.ai, tenable.com, feedly.com

Did this fix work for you?
uGetFix Editorial Team

Written by

Security Editor

The uGetFix editorial team consists of experienced Windows technicians and cybersecurity researchers. Every guide is tested on real hardware before publication.

0 Comments

Be the first to comment

Still worried? Run a free check.

Paste any URL or domain — we'll scan it against 4.2M known threats in 10 seconds.

View full scanner → Add to your website →