Cyber Resilience

CVE-2026-54351

HighPublic PoC

Published: 26 June 2026

Published
26 June 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0046 36.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-54351 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Budibase Budibase. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger() allows an attacker to overwrite…

more

the internal appId property by including it in the webhook POST body. When the automation is processed asynchronously (the default path for webhooks without a collect step), the worker executes the attacker-defined automation in the context of the victim's workspace, granting full read/write access to the victim's database. This vulnerability is fixed in 3.39.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Public webhook endpoint (T1190) exploited via mass assignment for unauthorized execution in victim workspace context (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-50137Same product: Budibase Budibase
CVE-2026-35214Same product: Budibase Budibase
CVE-2026-50132Same product: Budibase Budibase
CVE-2026-54353Same product: Budibase Budibase
CVE-2026-54350Same product: Budibase Budibase
CVE-2026-50136Same product: Budibase Budibase
CVE-2026-31816Same product: Budibase Budibase
CVE-2026-41428Same product: Budibase Budibase
CVE-2026-27702Same product: Budibase Budibase
CVE-2026-25737Same product: Budibase Budibase

Affected Assets

budibase
budibase
≤ 3.39.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References