Unrated

Budibase webhook trigger mass assignment leading to cross-workspace automation execution

IdentifiersCVE-2026-54351CWE-915

CVE-2026-54351 is a high-severity mass assignment vulnerability in Budibase affecting versions prior to 3.39.9. The flaw exists in the publicly accessible webhook trigger handling, specifically in externalTrigger(), where the full HTTP request body is passed into automation execution parameters without adequately preventing assignment to internal properties. By including an appId field in a webhook POST body, an attacker can overwrite the internal appId value that should identify the server-controlled workspace/application context. In the default asynchronous processing path used for webhooks without a collect step, the queued worker later executes the attacker-selected automation under the victim workspace context rather than the attacker’s own context. This results in cross-workspace automation execution and breaks tenant/workspace isolation.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can grant an attacker execution of attacker-defined automations in the context of another Budibase workspace on the same instance. Reported consequences include full read/write access to the victim workspace database, data exfiltration, unauthorized data modification, execution of JavaScript in the victim context, access to victim environment variables, and cross-tenant boundary violations in multi-tenant deployments. The issue is remotely exploitable over the network, requires no authentication at the webhook endpoint itself, and can affect confidentiality, integrity, and availability at a high level.

Mitigation

If you can’t patch tonight, do this now.

Until the fixed version is deployed, restrict or disable exposure of public webhook trigger endpoints where possible, especially /api/webhooks/trigger. Limit network access to trusted sources only, monitor for suspicious webhook requests containing internal fields such as appId, timeout, user, or metadata, and review automation execution context handling for cross-workspace abuse paths. Where feasible, avoid asynchronous webhook-triggered automations without compensating controls, or locally harden the code so server-controlled context values overwrite any user-supplied internal properties before jobs are queued.

Remediation

Patch, then assume compromise.

Upgrade Budibase to version 3.39.9 or later. The fix is reported to prevent user-controlled webhook fields from overriding the internal workspace/application context. If source-level patching is required, modify the webhook trigger handling in packages/server/src/automations/triggers.ts so appId is always derived from the server-controlled workspace context before asynchronous queueing, and/or implement a strict allowlist that strips internal properties such as appId, timeout, user, and metadata from webhook-supplied input before automation execution.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BudibaseServerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cvefeed high severityNews

Jun 26, 2026

CVE-2026-54351 - Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override

A high-severity mass assignment vulnerability in Budibase's webhook trigger handling that allows an attacker to override appId and execute automations in a victim workspace, resulting in full read/write access to the victim's database.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-54351

NVD

nvd.nist.gov/vuln/detail/CVE-2026-54351

MITRE CWE · CWE-915

cwe.mitre.org