Budibase Authentication Bypass Vulnerability Allowing Unauthenticated Access to Protected Endpoints

An authentication bypass vulnerability has been identified in Budibase versions prior to 3.35.4. The issue arises in the authenticated middleware, which uses unanchored regular expressions to match public endpoint patterns against the request URL. Since the URL includes the query string, an attacker can access protected endpoints by appending a public endpoint path as a query parameter. For instance, adding a specific path to the query string can bypass authentication and access sensitive data or functionalities.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to access protected endpoints, bypassing authentication checks. This could lead to unauthorized access to sensitive information or functionalities within the Budibase application.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/global/users/search' endpoint without authentication. The request will be denied with a 403 status code. Then, resend the request, this time including a query parameter that references a public endpoint, such as '/api/system/status'. The response will include all user data from the Budibase instance, demonstrating that authentication has been bypassed.

Remediation

Users are advised to update to Budibase version 3.35.4 or later, where this vulnerability has been fixed.