CVE-2026-41428 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 24, 2026
Budibase - Authentication Bypass
Published: April 24, 2026Updated: April 24, 2026Remote Exploitable
Overview
Budibase < 3.35.4 contains an authentication bypass caused by unanchored regex matching of public endpoint patterns against ctx.request.url including query strings, letting attackers access protected endpoints by appending public paths as query parameters, exploit requires attacker to be authenticated.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Authenticated attackers can bypass authentication to access protected endpoints, potentially exposing sensitive data or functionality.
Mitigation
Update to version 3.35.4 or later.
Related Resources
Details
- CVE ID
- CVE-2026-41428
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_authentication
- Status
- new
CWE
- CWE-287
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H