A vulnerability was found in budibase up to 3.38.x . It has been rated as problematic . This affects the function packages/server/src/api/controllers/static/index.ts::getSignedUploadURL of the file /api/attachments . This manipulation causes missing authorization. This vulnerability is tracked as CVE-2026-50137 . The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.