Budibase webhook query-string trick bypasses all server-side auth

TL;DR - Budibase up to 3.31.4 has a critical auth bypass. Append ?/webhooks/trigger to the query string of any API request and the middleware skips auth and CSRF entirely.

What happened

Budibase is the open-source low-code platform for internal apps. The new CVE is an unauthenticated remote bypass. The isWebhookEndpoint() helper runs an unanchored regex against ctx.request.url (Koa) - which includes the query string. If the regex matches, the middleware returns next() early. So every API endpoint becomes public to anyone who knows to put ?/webhooks/something in the URL.

Elegant in the wrong way. Unanchored regexes against full URLs are one of the most reliable ways to ship an auth bypass in middleware-based Node apps.

Who is impacted

• Budibase deployments running versions <= 3.31.4.
• Impact: complete authentication bypass, broad API access (CRUD over tables/rows/automations/datasources), and CSRF bypass.
• CVSS 3.1: 9.1 (Critical).

What to do now

• Determine whether you are running Budibase <= 3.31.4.
• Until an upstream fix is available, treat server-side APIs as potentially unauthenticated:
  • Restrict network access to trusted users/VPN.
  • Block requests whose query strings contain ?/webhooks/ at a reverse proxy.
• Review access logs for unexpected requests to /api/* endpoints with webhook-like query fragments.