Skip to content

[GHSA-jj36-r9w3-3pfh] Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials#8686

Open
Amayyas wants to merge 1 commit into
Amayyas/advisory-improvement-8686from
Amayyas-GHSA-jj36-r9w3-3pfh
Open

[GHSA-jj36-r9w3-3pfh] Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials#8686
Amayyas wants to merge 1 commit into
Amayyas/advisory-improvement-8686from
Amayyas-GHSA-jj36-r9w3-3pfh

Conversation

@Amayyas

@Amayyas Amayyas commented Jul 12, 2026

Copy link
Copy Markdown

Updates

  • CWEs

Comments
This advisory currently has no CWE assigned. The corresponding CVE record,
CVE-2026-50136 (assigned by the GitHub CNA), classifies this vulnerability as
CWE-306: Missing Authentication for Critical Function.

This is consistent with the advisory's own description: the
POST /api/attachments/:datasourceId/url endpoint generates S3 presigned upload
URLs and "does not require authentication, table permission, datasource
permission, or builder access" — a critical function exposed without
authentication.

Adding CWE-306 aligns the GitHub Advisory Database entry with the published CVE
record and improves classification and filtering.

References:

@github

github commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

Hi there @mjashanks! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Copilot AI review requested due to automatic review settings July 12, 2026 15:19

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@github-actions github-actions Bot changed the base branch from main to Amayyas/advisory-improvement-8686 July 12, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants