Home / Vulnerability Intelligence / CVE-2026-41428

CVE-2026-41428 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 27, 2026

Budibase - Authentication Bypass

Published: April 24, 2026Updated: April 27, 2026Remote Exploitable

Overview

Budibase < 3.35.4 contains an authentication bypass caused by unanchored regex matching of public endpoint patterns against ctx.request.url including query strings, letting attackers access protected endpoints by appending public paths as query parameters, exploit requires attacker to be authenticated.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 5.5%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can bypass authentication to access protected endpoints, potentially exposing sensitive data or functionality.

Mitigation

Update to version 3.35.4 or later.

References

https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 24, 2026

🔴 CVE-2026-41428 - Critical (9.1) Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query st... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41428/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-41428
Severity: Critical
CVSS Score: 9.1
Type: broken_authentication
Status: unconfirmed
EPSS: 5.5%
Social Posts: 1

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score

5.5%Probability of exploitation in the next 30 days