CVE-2026-50137 | budibase up to 3.38.x /api/attachments getSignedUploadURL authorization (GHSA-35c4-rvc8-frhm)

SecurityVulns

A vulnerability was found in budibase up to 3.38.x. It has been rated as problematic. This affects the function packages/server/src/api/controllers/static/index.ts::getSignedUploadURL of the file /api/attachments. This manipulation causes missing authorization.

This vulnerability is tracked as CVE-2026-50137. The attack is possible to be carried out remotely. No exploit exists.

Upgrading the affected component is advised.VulDB Recent EntriesRead More