Budibase webhook query-string pattern bypasses auth middleware on all server-side APIs (CVE-2026-31816)

What happened

A critical vulnerability in Budibase allows an unauthenticated remote attacker to bypass the server's authorized() middleware by appending a webhook path pattern to the query string of requests (for example, using ?/webhooks/trigger). The issue is caused by isWebhookEndpoint() testing an unanchored regex against ctx.request.url (Koa), which includes query parameters. When it matches, the middleware returns next() early, skipping authentication/authorization and CSRF protection.

Who is impacted

• Budibase deployments running versions <= 3.31.4.
• Impact described in the CVE record includes complete authentication bypass and broad API access (CRUD over tables/rows/automations/datasources, plus CSRF bypass).
• CVSS v3.1 base score: 9.1 (Critical).

What to do now

• Determine whether you are running Budibase <= 3.31.4.
• Until an upstream fix is available, treat Budibase server-side APIs as potentially unauthenticated and reduce exposure (e.g., restrict network access to trusted users/VPN, tighten ingress rules, and consider blocking requests whose query strings contain webhook path patterns like ?/webhooks/ at a reverse proxy).
• Review access logs for unexpected requests to /api/* endpoints containing webhook-like query-string fragments.

Additional Information

• GitHub Security Advisory referenced by the CVE: https://github.com/Budibase/budibase/security/advisories/GHSA-gw94-hprh-4wj8.