CVE-2026-41428 | budibase up to 3.35.3 Query Parameter status improper authentication

VDB-359549 · CVE-2026-41428 · GCVE-0-2026-41428 BUDIBASE UP TO 3.35.3 QUERY PARAMETER STATUS IMPROPER AUTHENTICATION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 8.0 $0-$5k 1.69 Summaryinfo A vulnerability, which was classified as critical, has been found in budibase up to 3.35.3. This vulnerability affects unknown code of the file /api/global/users/search?x=/api/system/status of the component Query Parameter Handler. The manipulation leads to improper authentication. This vulnerability is traded as CVE-2026-41428. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component. Detailsinfo A vulnerability was found in budibase up to 3.35.3. It has been rated as critical. This issue affects an unknown functionality of the file /api/global/users/search?x=/api/system/status of the component Query Parameter Handler. The manipulation with an unknown input leads to a improper authentication vulnerability. Using CWE to declare the problem leads to CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. Impacted is confidentiality, integrity, and availability. The summary by CVE is: Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4. The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-41428 since 04/20/2026. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available. Upgrading to version 3.35.4 eliminates this vulnerability. Productinfo Name budibase Version 3.35.0 3.35.1 3.35.2 3.35.3 Website Product: https://github.com/Budibase/budibase/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 8.2 VulDB Meta Temp Score: 8.0 VulDB Base Score: 7.3 VulDB Temp Score: 7.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 9.1 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Improper authentication CWE: CWE-287 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: budibase 3.35.4 Timelineinfo 04/20/2026 CVE reserved 04/24/2026 +4 days Advisory disclosed 04/24/2026 +0 days VulDB entry created 04/24/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Status: Confirmed CVE: CVE-2026-41428 (🔒) GCVE (CVE): GCVE-0-2026-41428 GCVE (VulDB): GCVE-100-359549 Entryinfo Created: 04/24/2026 21:57 Changes: 04/24/2026 21:57 (64) Complete: 🔍 Cache ID: 99:B82:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸