CVE-2026-41428 - Budibase public endpoint auth bypass
Budibase @budibase/backend-core versions <=3.35.3 can classify protected
routes as public when the authentication middleware matches no-auth endpoint
patterns against the full request URL, including the query string. Because the
public-endpoint patterns are not anchored to the request path, a protected
endpoint can be reached when a public endpoint path appears in query data.
For a low-code or internal-app platform, this is a control-plane trust failure: routes that rely on global authentication can become reachable without a valid Budibase user session. Depending on the deployment, that may expose user directories, account-owner metadata, license refresh behavior, event publishing, templates, or other routes that lack a second per-route authorization check.
When to use it
- A repository deploys, vendors, images, configures, or documents Budibase or
@budibase/backend-core <=3.35.3. - Budibase API/worker endpoints are reachable by tenants, browsers, support users, internal clients, or internet traffic.
- Server auth middleware matches public/no-auth routes against raw request URLs, query-bearing request targets, or unanchored regex patterns.
- You need a bounded PR or triage note that upgrades Budibase or proves public endpoint matching is path-only, anchored, and fail-closed.
Inputs
- Package manifests, lockfiles, Budibase source/forks, Docker/Compose/Helm/K8s artifacts, gateway policies, environment templates, SBOMs, generated manifests, and runbooks.
- Public endpoint route lists, auth middleware code, protected route inventory, route-level actor checks, access-log ownership, tenant/workspace boundaries, and rollout owners.
- Available package install, route/auth tests, lint/typecheck, image build, deployment render, SBOM, and dependency/security scans.
Affected versions
- Vulnerable:
@budibase/backend-core <=3.35.3 - Fixed: verify and deploy the first vendor release that anchors public
route matching to the request path. Some CVE records and downstream feeds
identify
3.35.4as fixed, while the checked GitHub Advisory page still listed no patched version during this run. - Affected surface: Budibase worker/API authentication middleware and any
loggedInRoutes-style endpoint that depends on the global auth check.
Indicator-of-exposure
- The repository deploys, packages, vendors, or documents Budibase or
@budibase/backend-core <=3.35.3. - Budibase worker/API endpoints are reachable by browsers, tenants, partners, support users, internal networks, or internet clients.
- Public no-auth endpoint route patterns are represented as regular expressions or strings that are compiled without start/end anchoring.
- Authentication middleware checks
ctx.request.url, raw URLs, or request targets that include query strings instead of a parsed path. - Protected endpoints rely only on the global auth middleware and do not have a second route-level user/admin/workspace check.
Quick checks:
rg -n "@budibase/backend-core|budibase|authenticated|noAuthOptions|publicEndpoint|ctx\\.request\\.url|ctx\\.request\\.path|new RegExp\\(|loggedInRoutes" .
npm ls @budibase/backend-core
pnpm why @budibase/backend-core
yarn why @budibase/backend-core
rg -n "budibase|backend-core|worker|publicEndpoint|noAuth|loggedInRoutes" Dockerfile* docker-compose*.yml charts deploy k8s helm .github .
Remediation strategy
- Prefer upgrading every controlled Budibase package, image, chart, and
deployment target to the vendor-fixed release after
3.35.3. Regenerate lockfiles, image digests, SBOMs, and rendered deployment manifests. - If the repository owns a fork, vendored patch, or gateway middleware, ensure public endpoint matching uses the parsed request path, not the full URL.
- Anchor no-auth route patterns so they match only the intended endpoint path and optional path/query boundary, not arbitrary text inside query strings.
- Add deny-by-default behavior when a route pattern cannot be parsed or when a protected route lacks both global and route-level authentication.
- Add regression tests for protected endpoints that include public endpoint path fragments in query data and must still return unauthorized.
- Review access logs for protected Budibase endpoints containing query parameters with endpoint-like path fragments during the vulnerable window.
The prompt
You are remediating CVE-2026-41428 / GHSA-8783-3wgf-jggf, a critical Budibase
authentication bypass in public endpoint matching. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Budibase or patches the
public endpoint matcher, adds negative auth coverage, and documents operator
review, or
- TRIAGE.md if this repository does not own an affected Budibase deployment or
cannot make a safe change.
## Rules
- Scope only CVE-2026-41428 / GHSA-8783-3wgf-jggf and directly related
Budibase authentication-route matching.
- Treat user directories, account-owner metadata, session cookies, API tokens,
license data, event payloads, tenant IDs, workspace IDs, and access logs as
sensitive.
- Do not send bypass probes to production, shared staging, or real customer
Budibase instances.
- Do not fix this only in frontend routing or documentation. The server-side
auth boundary must fail closed.
- Do not auto-merge.
## Steps
1. Inventory every Budibase runtime controlled by this repository: package
manifests, lockfiles, Dockerfiles, compose files, Helm charts, Kubernetes
manifests, Terraform, Ansible, CI images, SBOMs, vendored source, gateway
policy, environment templates, and runbooks.
2. Determine every resolved `@budibase/backend-core` and Budibase image
version. Treat `@budibase/backend-core <=3.35.3` as vulnerable unless the
repository carries an auditable backport of the route-matcher fix.
3. Verify the vendor-fixed version available to this repository. If a fixed
`3.35.4+` release is consumable, upgrade through the normal package or image
channel and regenerate all controlled artifacts.
4. Search server code for the authentication boundary:
- no-auth or public endpoint route lists;
- `new RegExp(route)` or equivalent dynamic route matching;
- checks against `ctx.request.url`, raw URLs, or request targets;
- `ctx.request.path`, parsed pathname helpers, or router-matched path;
- `publicEndpoint`, `noAuthOptions`, `loggedInRoutes`, worker/global auth,
and route-level auth middleware.
5. If the repository does not deploy or vendor Budibase, stop with `TRIAGE.md`
listing files checked, current scanner evidence, and the runtime owner.
6. If patching source or a fork, make public endpoint matching path-only:
- parse the request URL and match only the path component;
- anchor every public endpoint pattern to the start of the path;
- require an end-of-path or query/path boundary as appropriate;
- fail closed when the route pattern is malformed;
- preserve explicit method checks.
7. Add route-level defense in depth for endpoints that previously relied only
on global auth. At minimum, protected user, license, event, template, and
account-owner routes should deny when `ctx.user` or equivalent actor context
is missing.
8. Add regression tests with non-production fixtures:
- a protected endpoint without a session returns unauthorized;
- the same protected endpoint still returns unauthorized when query data
contains a known public endpoint path;
- legitimate public endpoints still work without auth;
- method mismatches do not become public;
- route-level middleware denies when global auth is bypassed or skipped.
9. Add an operator review section named `CVE-2026-41428 operator actions` that
states:
- Budibase package/image versions before and after the change;
- whether this repository used an upstream fix or a temporary backport;
- which protected routes relied only on global auth;
- which logs should be searched for protected endpoint requests containing
endpoint-like query values;
- whether user directory, account-owner, license, template, or event data
may require incident review.
10. Run relevant validation: package install, lockfile checks, route tests,
auth integration tests, lint/typecheck, image build, deployment render,
SBOM refresh, and dependency/security scans available in this repository.
11. Use PR title:
`fix(sec): remediate CVE-2026-41428 in Budibase auth matching`.
## Stop conditions
- No affected Budibase runtime is controlled by this repository.
- A fixed Budibase release cannot be consumed and the repository does not own a
safe fork, gateway containment point, or deployment control.
- The route/auth model is unclear enough that a patch could expose or block
sensitive endpoints incorrectly; document the risk and request product or
security owner review.
- Verification would require probing production or exposing real user data.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Verification - what the reviewer looks for
- No controlled package, image, SBOM, lockfile, or deployment target still resolves vulnerable Budibase artifacts without an auditable backport.
- Public endpoint matching is anchored and path-only; query strings cannot make protected routes public.
- Protected routes that rely on global authentication have route-level denial for missing actor context where practical.
- Negative regression tests cover query strings that contain public endpoint path fragments.
- Operator actions cover log review and possible exposure of user directory, account-owner, license, template, or event data.
Output contract
- Reviewer-ready PR upgrading every controlled Budibase runtime or adding an auditable backport that matches public endpoints only against parsed paths.
- Negative auth tests proving protected routes remain unauthorized when query strings contain public endpoint fragments, malformed patterns, or method mismatches.
- Operator notes naming protected routes reviewed, log queries to run, and data classes that may need incident review.
TRIAGE.mdwhen Budibase runtime, gateway containment, or log review ownership is outside this repository.
Watch for
- Updating a package manifest while a container tag, chart value, or deployment
overlay still runs
@budibase/backend-core <=3.35.3. - Matching
ctx.request.urlor raw request targets after adding anchors; the query string must not participate in public-route decisions. - Tests that only prove public endpoints still work and never prove protected endpoints stay protected with attacker-shaped query data.
- Protected endpoints that assume
publicEndpointimplies a real authenticated actor.
Related recipes
- CVE-2026-39852 Quarkus matrix-parameter authorization bypass
- CVE-2026-41574 Nhost OAuth email verification bypass
- CVE intelligence intake gate
References
- GitHub Advisory: https://github.com/advisories/GHSA-8783-3wgf-jggf
- Budibase security advisory: https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf
- NVD CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-41428