Critical CVE-2026-41428 in Budibase allows authentication bypass through query-string matching
Budibase is affected by CVE-2026-41428, a critical authentication bypass with a CVSS score of 9.1 that applies to versions prior to 3.35.4. The flaw lets an attacker reach protected endpoints by placing a public path inside the query string of a request.
The issue was published by NVD on 2026-04-24 and traces to authenticated middleware that checks whether a route is public by running unanchored regular expressions against NVD data describing the request URL. Because Koa includes the query string in ctx.request.url, a request can be made to look public even when its real target is protected.
The published example shows the problem clearly: POST /api/global/users/search?x=/api/system/status bypasses authentication because the regex for /api/system/status/ matches inside the query portion of the URL. NVD lists the weakness as CWE-287, Improper Authentication, and marks Budibase versions up to but excluding 3.35.4 as vulnerable.
Unanchored regular expressions let a public path override a protected one
The core failure is the way the middleware decides whether a request should skip authentication. Instead of checking a normalized path, it evaluates the full request URL, so any public endpoint fragment appearing anywhere in that string can be treated as a match.
That behavior creates an authentication decision that depends on pattern placement rather than route identity. In practice, the attacker does not need to alter Budibase’s route structure, only the request text that reaches the matcher.
The vulnerability matters because authentication middleware sits in front of the application’s protected API surface. When that control fails, requests that should be blocked can move through to internal or administrative functionality without valid credentials.
The attack requires only network access and no valid account
The advisory data describes the attack as network-based, low complexity, and requiring no user interaction. It also assigns no privileges and no integrity impact, while confidentiality and availability are both rated high in the CVSS vector.
That combination means the exposure is broad wherever Budibase is reachable over HTTP or HTTPS. The source material also notes that no known exploit or public proof of concept has been confirmed, but the vulnerability remains critical because the bypass is straightforward and affects authentication itself.
Budibase 3.35.4 closes the issue
The fixed version is Budibase 3.35.4. The source material states that the vulnerability is addressed there, and that versions before 3.35.4 remain affected.
The most direct remediation is to move to the patched release and confirm that protected routes no longer rely on unanchored matching against the full request URL. The advisory also recommends restricting access to Budibase API endpoints and monitoring for suspicious query-string patterns if immediate upgrading is not possible.
Organizations are urged to patch immediately to mitigate risks of unauthorized access.
Possible steps
These steps can reduce exposure while remediation is underway:
- Upgrade Budibase to version 3.35.4 or later.
- Restrict network access to Budibase API endpoints where possible.
- Review logs for unusual query strings that contain public endpoint paths.
- Look for requests that target protected routes with appended path fragments.
- Verify that authentication checks use normalized paths, not full URLs.
- Prioritize remediation on any exposed Budibase instance handling sensitive data.
Šaltiniai: nvd.nist.gov, cve.org, appsecure.security, codeant.ai, tenable.com, feedly.com
Report an issue
What's wrong with this guide? We review every report and update or remove content.
Report received — thank you. We'll review and fix it.
You need a free account to submit a report.
Be the first to comment