A critical authentication bypass in Budibase allows unauthenticated remote attackers to access any server-side API endpoint, resulting in complete unauthorized control over the platform.

The isWebhookEndpoint() function uses an unanchored regex against the full request URL, which includes query parameters. An unauthenticated attacker can bypass the authorized() middleware by appending ?/webhooks/trigger to any request, skipping all role checks and CSRF protections.

This vulnerability effectively disables the security layer of the entire Budibase platform. An attacker can perform any action permitted by the API, including data exfiltration, user manipulation, and workflow modification. The CVSS score of 9.1 reflects the critical risk to organizational data and the ease with which an unauthenticated actor can compromise the internal tools built on the platform.

Immediate Action: Upgrade Budibase server to version 3.31.5 or later immediately to resolve the regex validation error in the middleware.

Proactive Monitoring: Inspect server logs for any API requests containing query strings with webhook-related patterns (e.g., webhooks/trigger) originating from unauthorized users.

Compensating Controls: Deploy a Web Application Firewall (WAF) to block requests where the query string contains path traversal or webhook-specific keywords used to bypass middleware logic.

Public Exploit Available: false

This is a "zero-click" authentication bypass that places all data within the Budibase environment at risk. It is imperative that administrators apply the update to version 3.31.5 immediately to re-establish the security perimeter of their low-code applications.