Skip to content

[GHSA-jj36-r9w3-3pfh] Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials#8686

Merged
advisory-database[bot] merged 1 commit into
Amayyas/advisory-improvement-8686from
Amayyas-GHSA-jj36-r9w3-3pfh
Jul 17, 2026
Merged

[GHSA-jj36-r9w3-3pfh] Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials#8686
advisory-database[bot] merged 1 commit into
Amayyas/advisory-improvement-8686from
Amayyas-GHSA-jj36-r9w3-3pfh

Conversation

@Amayyas

@Amayyas Amayyas commented Jul 12, 2026

Copy link
Copy Markdown

Updates

  • CWEs

Comments
This advisory currently has no CWE assigned. The corresponding CVE record,
CVE-2026-50136 (assigned by the GitHub CNA), classifies this vulnerability as
CWE-306: Missing Authentication for Critical Function.

This is consistent with the advisory's own description: the
POST /api/attachments/:datasourceId/url endpoint generates S3 presigned upload
URLs and "does not require authentication, table permission, datasource
permission, or builder access" — a critical function exposed without
authentication.

Adding CWE-306 aligns the GitHub Advisory Database entry with the published CVE
record and improves classification and filtering.

References:

@github

github commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

Hi there @mjashanks! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Copilot AI review requested due to automatic review settings July 12, 2026 15:19

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@github-actions
github-actions Bot changed the base branch from main to Amayyas/advisory-improvement-8686 July 12, 2026 15:20
@advisory-database
advisory-database Bot merged commit 58dae79 into Amayyas/advisory-improvement-8686 Jul 17, 2026
4 checks passed
@advisory-database

Copy link
Copy Markdown
Contributor

Hi @Amayyas! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database
advisory-database Bot deleted the Amayyas-GHSA-jj36-r9w3-3pfh branch July 17, 2026 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants