CVE-2026-41428 - Budibase public endpoint auth bypass

Budibase @budibase/backend-core versions <=3.35.3 can classify protected routes as public when the authentication middleware matches no-auth endpoint patterns against the full request URL, including the query string. Because the public-endpoint patterns are not anchored to the request path, a protected endpoint can be reached when a public endpoint path appears in query data.

For a low-code or internal-app platform, this is a control-plane trust failure: routes that rely on global authentication can become reachable without a valid Budibase user session. Depending on the deployment, that may expose user directories, account-owner metadata, license refresh behavior, event publishing, templates, or other routes that lack a second per-route authorization check.

When to use it

  • A repository deploys, vendors, images, configures, or documents Budibase or @budibase/backend-core <=3.35.3.
  • Budibase API/worker endpoints are reachable by tenants, browsers, support users, internal clients, or internet traffic.
  • Server auth middleware matches public/no-auth routes against raw request URLs, query-bearing request targets, or unanchored regex patterns.
  • You need a bounded PR or triage note that upgrades Budibase or proves public endpoint matching is path-only, anchored, and fail-closed.

Inputs

  • Package manifests, lockfiles, Budibase source/forks, Docker/Compose/Helm/K8s artifacts, gateway policies, environment templates, SBOMs, generated manifests, and runbooks.
  • Public endpoint route lists, auth middleware code, protected route inventory, route-level actor checks, access-log ownership, tenant/workspace boundaries, and rollout owners.
  • Available package install, route/auth tests, lint/typecheck, image build, deployment render, SBOM, and dependency/security scans.

Affected versions

  • Vulnerable: @budibase/backend-core <=3.35.3
  • Fixed: verify and deploy the first vendor release that anchors public route matching to the request path. Some CVE records and downstream feeds identify 3.35.4 as fixed, while the checked GitHub Advisory page still listed no patched version during this run.
  • Affected surface: Budibase worker/API authentication middleware and any loggedInRoutes-style endpoint that depends on the global auth check.

Indicator-of-exposure

  • The repository deploys, packages, vendors, or documents Budibase or @budibase/backend-core <=3.35.3.
  • Budibase worker/API endpoints are reachable by browsers, tenants, partners, support users, internal networks, or internet clients.
  • Public no-auth endpoint route patterns are represented as regular expressions or strings that are compiled without start/end anchoring.
  • Authentication middleware checks ctx.request.url, raw URLs, or request targets that include query strings instead of a parsed path.
  • Protected endpoints rely only on the global auth middleware and do not have a second route-level user/admin/workspace check.

Quick checks:

rg -n "@budibase/backend-core|budibase|authenticated|noAuthOptions|publicEndpoint|ctx\\.request\\.url|ctx\\.request\\.path|new RegExp\\(|loggedInRoutes" .
npm ls @budibase/backend-core
pnpm why @budibase/backend-core
yarn why @budibase/backend-core
rg -n "budibase|backend-core|worker|publicEndpoint|noAuth|loggedInRoutes" Dockerfile* docker-compose*.yml charts deploy k8s helm .github .

Remediation strategy

  • Prefer upgrading every controlled Budibase package, image, chart, and deployment target to the vendor-fixed release after 3.35.3. Regenerate lockfiles, image digests, SBOMs, and rendered deployment manifests.
  • If the repository owns a fork, vendored patch, or gateway middleware, ensure public endpoint matching uses the parsed request path, not the full URL.
  • Anchor no-auth route patterns so they match only the intended endpoint path and optional path/query boundary, not arbitrary text inside query strings.
  • Add deny-by-default behavior when a route pattern cannot be parsed or when a protected route lacks both global and route-level authentication.
  • Add regression tests for protected endpoints that include public endpoint path fragments in query data and must still return unauthorized.
  • Review access logs for protected Budibase endpoints containing query parameters with endpoint-like path fragments during the vulnerable window.

The prompt

You are remediating CVE-2026-41428 / GHSA-8783-3wgf-jggf, a critical Budibase
authentication bypass in public endpoint matching. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Budibase or patches the
  public endpoint matcher, adds negative auth coverage, and documents operator
  review, or
- TRIAGE.md if this repository does not own an affected Budibase deployment or
  cannot make a safe change.

## Rules

- Scope only CVE-2026-41428 / GHSA-8783-3wgf-jggf and directly related
  Budibase authentication-route matching.
- Treat user directories, account-owner metadata, session cookies, API tokens,
  license data, event payloads, tenant IDs, workspace IDs, and access logs as
  sensitive.
- Do not send bypass probes to production, shared staging, or real customer
  Budibase instances.
- Do not fix this only in frontend routing or documentation. The server-side
  auth boundary must fail closed.
- Do not auto-merge.

## Steps

1. Inventory every Budibase runtime controlled by this repository: package
   manifests, lockfiles, Dockerfiles, compose files, Helm charts, Kubernetes
   manifests, Terraform, Ansible, CI images, SBOMs, vendored source, gateway
   policy, environment templates, and runbooks.
2. Determine every resolved `@budibase/backend-core` and Budibase image
   version. Treat `@budibase/backend-core <=3.35.3` as vulnerable unless the
   repository carries an auditable backport of the route-matcher fix.
3. Verify the vendor-fixed version available to this repository. If a fixed
   `3.35.4+` release is consumable, upgrade through the normal package or image
   channel and regenerate all controlled artifacts.
4. Search server code for the authentication boundary:
   - no-auth or public endpoint route lists;
   - `new RegExp(route)` or equivalent dynamic route matching;
   - checks against `ctx.request.url`, raw URLs, or request targets;
   - `ctx.request.path`, parsed pathname helpers, or router-matched path;
   - `publicEndpoint`, `noAuthOptions`, `loggedInRoutes`, worker/global auth,
     and route-level auth middleware.
5. If the repository does not deploy or vendor Budibase, stop with `TRIAGE.md`
   listing files checked, current scanner evidence, and the runtime owner.
6. If patching source or a fork, make public endpoint matching path-only:
   - parse the request URL and match only the path component;
   - anchor every public endpoint pattern to the start of the path;
   - require an end-of-path or query/path boundary as appropriate;
   - fail closed when the route pattern is malformed;
   - preserve explicit method checks.
7. Add route-level defense in depth for endpoints that previously relied only
   on global auth. At minimum, protected user, license, event, template, and
   account-owner routes should deny when `ctx.user` or equivalent actor context
   is missing.
8. Add regression tests with non-production fixtures:
   - a protected endpoint without a session returns unauthorized;
   - the same protected endpoint still returns unauthorized when query data
     contains a known public endpoint path;
   - legitimate public endpoints still work without auth;
   - method mismatches do not become public;
   - route-level middleware denies when global auth is bypassed or skipped.
9. Add an operator review section named `CVE-2026-41428 operator actions` that
   states:
   - Budibase package/image versions before and after the change;
   - whether this repository used an upstream fix or a temporary backport;
   - which protected routes relied only on global auth;
   - which logs should be searched for protected endpoint requests containing
     endpoint-like query values;
   - whether user directory, account-owner, license, template, or event data
     may require incident review.
10. Run relevant validation: package install, lockfile checks, route tests,
    auth integration tests, lint/typecheck, image build, deployment render,
    SBOM refresh, and dependency/security scans available in this repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-41428 in Budibase auth matching`.

## Stop conditions

- No affected Budibase runtime is controlled by this repository.
- A fixed Budibase release cannot be consumed and the repository does not own a
  safe fork, gateway containment point, or deployment control.
- The route/auth model is unclear enough that a patch could expose or block
  sensitive endpoints incorrectly; document the risk and request product or
  security owner review.
- Verification would require probing production or exposing real user data.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled package, image, SBOM, lockfile, or deployment target still resolves vulnerable Budibase artifacts without an auditable backport.
  • Public endpoint matching is anchored and path-only; query strings cannot make protected routes public.
  • Protected routes that rely on global authentication have route-level denial for missing actor context where practical.
  • Negative regression tests cover query strings that contain public endpoint path fragments.
  • Operator actions cover log review and possible exposure of user directory, account-owner, license, template, or event data.

Output contract

  • Reviewer-ready PR upgrading every controlled Budibase runtime or adding an auditable backport that matches public endpoints only against parsed paths.
  • Negative auth tests proving protected routes remain unauthorized when query strings contain public endpoint fragments, malformed patterns, or method mismatches.
  • Operator notes naming protected routes reviewed, log queries to run, and data classes that may need incident review.
  • TRIAGE.md when Budibase runtime, gateway containment, or log review ownership is outside this repository.

Watch for

  • Updating a package manifest while a container tag, chart value, or deployment overlay still runs @budibase/backend-core <=3.35.3.
  • Matching ctx.request.url or raw request targets after adding anchors; the query string must not participate in public-route decisions.
  • Tests that only prove public endpoints still work and never prove protected endpoints stay protected with attacker-shaped query data.
  • Protected endpoints that assume publicEndpoint implies a real authenticated actor.

References