Skip to content

Commit ee5ceef

Browse files
1 parent 253b8e5 commit ee5ceef

1 file changed

Lines changed: 63 additions & 0 deletions

File tree

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-jj36-r9w3-3pfh",
4+
"modified": "2026-06-22T23:15:10Z",
5+
"published": "2026-06-22T23:15:10Z",
6+
"aliases": [
7+
"CVE-2026-50136"
8+
],
9+
"summary": "Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials",
10+
"details": "The application server exposes an unauthenticated endpoint that generates S3 `PutObject` presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values.\n\n### Details\n\nThe static route registers the signed upload URL endpoint with only `recaptcha` before the controller:\n\n- `packages/server/src/api/routes/static.ts:44-48`\n\n```ts\n44: .post(\n45: \"/api/attachments/:datasourceId/url\",\n46: recaptcha,\n47: controller.getSignedUploadURL\n48: )\n```\n\nThe controller loads the datasource by `datasourceId` with enriched secret values:\n\n- `packages/server/src/api/controllers/static/index.ts:590-598`\n\n```ts\n590:export const getSignedUploadURL = async function (\n591: ctx: Ctx<GetSignedUploadUrlRequest, GetSignedUploadUrlResponse>\n592:) {\n593: // Ensure datasource is valid\n594: let datasource\n595: try {\n596: const { datasourceId } = ctx.params\n597: datasource = await sdk.datasources.get(datasourceId, { enriched: true })\n598: if (!datasource) {\n```\n\nThe request body controls `bucket` and `key`, and the server signs a PUT URL using the stored datasource credentials:\n\n- `packages/server/src/api/controllers/static/index.ts:609-629`\n\n```ts\n609: if (datasource?.source === \"S3\") {\n610: const { bucket, key } = ctx.request.body || {}\n611: if (!bucket || !key) {\n612: ctx.throw(400, \"bucket and key values are required\")\n613: }\n614: try {\n615: let endpoint = datasource?.config?.endpoint\n616: if (endpoint && !utils.urlHasProtocol(endpoint)) {\n617: endpoint = `https://${endpoint}`\n618: }\n619: const s3 = new S3({\n620: region: awsRegion,\n621: endpoint: endpoint,\n622: credentials: {\n623: accessKeyId: datasource?.config?.accessKeyId as string,\n624: secretAccessKey: datasource?.config?.secretAccessKey as string,\n625: },\n626: })\n627: const params = { Bucket: bucket, Key: key }\n628: signedUrl = await getSignedUrl(s3, new PutObjectCommand(params))\n629: if (endpoint) {\n```\n\nThe endpoint returns the signed URL and public URL to the caller:\n\n- `packages/server/src/api/controllers/static/index.ts:630-639`\n\n```ts\n630: publicUrl = `${endpoint}/${bucket}/${key}`\n631: } else {\n632: publicUrl = `https://${bucket}.s3.${awsRegion}.amazonaws.com/${key}`\n633: }\n634: } catch (error: any) {\n635: ctx.throw(400, error)\n636: }\n637: }\n638:\n639: ctx.body = { signedUrl, publicUrl }\n```\n\nBecause no authorization middleware is applied, the API trusts public input to choose where the stored S3 credentials will write.\n\n### PoC\n\nNon-destructive validation approach:\n\n1. Create or identify a workspace with an S3 datasource.\n2. Obtain the production workspace ID and S3 datasource ID.\n3. Send an unauthenticated request with the workspace ID header and attacker-controlled bucket/key:\n\n```http\nPOST /api/attachments/<datasourceId>/url HTTP/1.1\nx-budibase-app-id: app_<workspace-id>\ncontent-type: application/json\n\n{\"bucket\":\"attacker-controlled-or-permitted-bucket\",\"key\":\"poc/budibase.txt\"}\n```\n\n4. Observe that the response contains a signed PUT URL.\n5. Upload harmless content to the returned `signedUrl` and confirm the object is created using the datasource's stored S3 credentials.\n\n### Impact\n\nThis allows unauthenticated arbitrary object writes wherever the stored S3 datasource credentials have `PutObject` access. Depending on the datasource permissions, this can corrupt application data, overwrite public assets, place attacker-controlled objects in trusted buckets, consume storage, or abuse an organization's cloud credentials.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@budibase/server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "3.39.2"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-jj36-r9w3-3pfh"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/Budibase/budibase/pull/18774"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/Budibase/budibase/commit/d9dbb7f6105373cc88ecacdbcab70c776f7dd6a1"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/Budibase/budibase"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [],
58+
"severity": "HIGH",
59+
"github_reviewed": true,
60+
"github_reviewed_at": "2026-06-22T23:15:10Z",
61+
"nvd_published_at": null
62+
}
63+
}

0 commit comments

Comments
 (0)