CVE-2026-48147

6.5 MEDIUM

Budibase is an open-source low-code platform

Published: 2026-05-27 · Last updated: 2026-05-27

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-185, CWE-352

Description

Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. The CSRF middleware in the Budibase Worker uses this matching system to decide whether to skip CSRF token validation. An unauthenticated attacker can forge state-changing cross-origin requests against any Worker API endpoint by injecting a public route pattern into the query string, causing the CSRF middleware to skip token validation entirely. This allows actions such as sending admin invites, modifying global configuration, and managing users without a valid CSRF token. This vulnerability is fixed in 3.35.4.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-53739 — Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which ... (4.3 MEDIUM)
CVE-2026-53736 — Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonc... (4.3 MEDIUM)
CVE-2025-58468 — A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center
CVE-2026-39170 — SemCms 5.0 is vulnerable to Cross Site Request Forgery (CSRF) via crafted POST request to /admin/semcms_user.php (6.3 MEDIUM)
CVE-2026-8940 — The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9 (4.3 MEDIUM)