CVE-2026-31816
Published: 09 March 2026
Summary
CVE-2026-31816 is a critical-severity Injection (CWE-74) vulnerability in Budibase Budibase. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for all logical access to server-side API endpoints, directly preventing the middleware bypass via query string manipulation.
Validates information inputs including query parameters at external interfaces, blocking malicious webhook patterns that exploit the unanchored regex in isWebhookEndpoint().
Requires timely remediation of flaws like the authorized() middleware vulnerability in Budibase 3.31.4 and earlier, eliminating the bypass through patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote attackers to bypass authentication middleware on a public-facing web application (Budibase server-side API), directly enabling exploitation of public-facing applications for unauthorized access.
NVD Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to…
more
the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL.
Deeper analysisAI
CVE-2026-31816 is a critical vulnerability in Budibase, a low code platform for creating internal tools, workflows, and admin panels, affecting versions 3.31.4 and earlier. The issue lies in the server's authorized() middleware, which is intended to protect every server-side API endpoint. This middleware can be fully bypassed by appending a webhook path pattern, such as ?/webhooks/trigger or any variant, to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in the Koa framework includes the full URL with query parameters; a match causes the middleware to immediately invoke next(), skipping all authentication, authorization, role checks, and CSRF protection.
An unauthenticated remote attacker can exploit this vulnerability with low complexity by simply modifying the query string of requests to any API endpoint. This grants complete access to all server-side API functionality without credentials, enabling high-impact confidentiality and integrity violations such as data exfiltration, modification, or other unauthorized operations. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command).
Mitigation details are available in the Budibase security advisory at https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8, published on 2026-03-09.
Details
- CWE(s)