CVE-2026-41428
Published: 24 April 2026
Summary
CVE-2026-41428 is a critical-severity Improper Authentication (CWE-287) vulnerability in Budibase Budibase. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Explicitly requires mechanisms to prevent bypasses of access control decisions, directly addressing the authentication bypass via unanchored regex matching on query parameters.
Mandates enforcement of approved authorizations for access to protected endpoints, countering the flawed middleware logic that allows unauthorized access.
Requires validation of URL inputs to block manipulation of request paths through query parameters that evade authentication checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing low-code web application (Budibase), directly enabling remote exploitation of public-facing applications to gain unauthorized access.
NVD Description
Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by…
more
appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4.
Deeper analysisAI
CVE-2026-41428 is a critical authentication bypass vulnerability in Budibase, an open-source low-code platform. In versions prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Because ctx.request.url in the Koa framework includes the query string, this allows attackers to manipulate requests and evade authentication checks.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction. By appending a public endpoint path as a query parameter to a protected endpoint, such as POST /api/global/users/search?x=/api/system/status, the unanchored regex matches the public path in the query string, granting access to restricted resources. The CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) underscores the high confidentiality and availability impacts possible.
Budibase addressed this issue in version 3.35.4. Additional details on the vulnerability and patch are available in the GitHub security advisory at https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf.
Details
- CWE(s)