CVE-2026-48151 - Budibase webhook schema auth bypass

Budibase before 3.39.0 registered webhook schema building under builder-only routes, but the generic webhook endpoint detection logic also matched the /api/webhooks/schema/... path and skipped authorization entirely. An unauthenticated caller who knew a webhook identifier could mutate webhook body schema and corresponding automation trigger output schema.

This is a classic control bypass caused by a coarse “webhooks are public” shortcut that caught a privileged maintenance endpoint.

When to use it

Use this recipe when a repository deploys Budibase with webhook automations, public webhook routes, or schema-building endpoints that must remain builder/admin-only. It is designed for source-code/deployment remediation, route-classification review, automation schema integrity checks, auth-bypass regression testing, and evidence that unauthenticated webhook callers cannot mutate schema.

Inputs

  • Budibase server version, lockfiles, image/chart/manifest pins, webhook route config, automation schema storage, builder route middleware, and generated dependency or SBOM reports.
  • Source/config paths for /api/webhooks/schema, webhook endpoint detection, builder routes, auth middleware, automation trigger schema updates, audit logs, and tests.
  • Regression fixtures for true public webhook triggers, schema management routes, unauthenticated callers, builders/admins, unknown webhook IDs, and expected denial/audit behavior.
  • Boundary evidence: webhook IDs, automation owners, schema-change logs, public route exposure, API keys/secrets, rollout owner, and cleanup owner.

Affected versions

  • Vulnerable: @budibase/server <3.39.0
  • Fixed: @budibase/server 3.39.0+
  • Affected surface: webhook schema builder endpoints and downstream automation schema mutation

Indicator-of-exposure

  • The repository deploys Budibase server versions before 3.39.0.
  • Webhook automations are enabled.
  • Webhook schema routes are reachable from unauthenticated networks or from tenants that should not mutate each other’s automation state.

Quick checks:

rg -n "/api/webhooks/schema|isWebhookEndpoint|builderRoutes|authorized|schema" .
npm ls @budibase/server
pnpm why @budibase/server

Windows:

rg -n "/api/webhooks/schema|isWebhookEndpoint|builderRoutes|authorized|schema" .
npm ls @budibase/server
pnpm why @budibase/server

Remediation strategy

  • Upgrade Budibase to 3.39.0+.
  • Ensure only true unauthenticated webhook trigger endpoints bypass auth; schema management endpoints must require builder/admin authorization.
  • Add route-level tests that prove /api/webhooks/schema/... cannot bypass auth, even if generic webhook path helpers change again.
  • Review recent automation schema changes if unauthenticated reachability existed.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-48151 / GHSA-qhv3-wjg8-6fx6 in Budibase. An
authorization bypass lets unauthenticated callers mutate webhook and automation
schema through `/api/webhooks/schema/...`. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Budibase, tightens auth on
  schema routes, adds regression tests, and documents review actions, or
- TRIAGE.md if this repository does not control an affected Budibase server.

## Rules

- Scope only CVE-2026-48151 and directly related webhook schema authorization.
- Treat webhook payloads, automation schemas, tenant identifiers, and logs as
  sensitive.
- Do not mutate live webhook schemas in shared environments.
- Do not break legitimate unauthenticated webhook trigger delivery while fixing
  privileged schema routes.
- Do not auto-merge.

## Steps

1. Inventory every `@budibase/server` dependency, image, and deployment owned
   by this repository.
2. Inspect webhook route registration and generic auth-bypass helpers to
   identify where schema endpoints are misclassified.
3. Determine whether webhook schema routes are network reachable without auth.
4. If this repository does not control an affected Budibase server, stop with
   `TRIAGE.md` naming the owner and required fixed version `3.39.0+`.
5. Upgrade to `3.39.0+` and refresh locks, images, SBOMs, and deployment
   artifacts.
6. Tighten route matching so only intended trigger endpoints bypass auth, while
   schema mutation paths require builder/admin authorization.
7. Add regression tests proving unauthenticated callers receive rejection on
   webhook schema routes and authorized builders retain expected access.
8. Add a PR body section named `CVE-2026-48151 operator actions` covering:
   - versions before and after;
   - whether unauthenticated route reachability existed;
   - which automation or schema changes should be reviewed;
   - validation that passed.
9. Run available validation: dependency install, tests, build, image build,
   deployment render, and security scans.
10. Use PR title:
    `fix(sec): remediate CVE-2026-48151 in Budibase webhook schema auth`.

## Stop conditions

- No affected Budibase server is controlled by this repository.
- Verification would require mutating live webhook schemas in shared
  environments.
- Product requirements intentionally expose schema mutation without auth;
  document the risk and stop for review.
- Validation fails for unrelated pre-existing reasons; document those failures.

Output contract

  • A reviewer-ready PR or change request that upgrades Budibase, separates public webhook triggers from schema-management routes, adds auth-bypass regression tests, and documents automation/audit review.
  • Or a TRIAGE.md file that lists inspected packages/images/routes, owner, observed version, webhook-schema boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not mutate real automation schemas, expose webhook secrets, or broaden unauthenticated route matching.

Verification - what the reviewer looks for

  • No controlled Budibase deployment resolves <3.39.0.
  • /api/webhooks/schema/... requires authorization while true trigger paths still work as intended.
  • Tests protect against future route-matcher regressions.

Watch for

  • Fixing one route while a second alias or reverse-proxy rewrite stays exposed.
  • Over-broad auth changes that break legitimate inbound webhook triggers.
  • Forgetting to review automation schema history after exposure.

References