CVE-2026-42239
8.1 HIGHBudibase is an open-source low-code platform
Published: 2026-05-07 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 8.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
- CWE
- CWE-1004
Affected products
| Vendor | Product |
|---|---|
| budibase | budibase |
Description
Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42239
- [Patch]https://github.com/Budibase/budibase/releases/tag/3.35.10
- [Vendor advisory]https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r
- [Vendor advisory]https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r
Related CVEs
Same CWE
- CVE-2026-11956 — A vulnerability was determined in TwiN gatus 5.36.0 (3.7 LOW)