Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-50136

Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values. This vulnerability is fixed in 3.39.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 24.4%
CVSS Severity
CVSS v3 Score 7.4
Products affected by CVE-2026-50136


Contact Us

Shodan ® - All rights reserved