Budibase Low-Code Platform Vulnerability Allows Full Account Takeover via XSS

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-1004
Budibase Low-Code Platform Vulnerability Allows Full Account Takeover via XSS

The National Vulnerability Database has highlighted a critical flaw (CVE-2026-42239) in Budibase, an open-source low-code platform. Versions prior to 3.35.10 improperly configured the budibase:auth cookie, setting httpOnly to false. This oversight allows any Cross-Site Scripting (XSS) vulnerability to directly access and steal the JWT session token via JavaScript. Attackers can then use this token for persistent account takeover, bypassing standard session management protections.

Compounding the risk, the National Vulnerability Database notes the cookie also lacked the secure: true flag, meaning it could be transmitted over unencrypted HTTP connections. This combination of misconfigurations significantly lowers the bar for attackers to compromise user accounts within Budibase applications. The issue has been patched in version 3.35.10, but organizations running older versions remain exposed.

Defenders should immediately verify their Budibase deployment version and upgrade to 3.35.10 or later. For any instances still running vulnerable versions, a rigorous audit for any signs of XSS exploitation or unauthorized session activity is paramount. The ease with which an XSS could escalate to a full account takeover underscores the need for robust input validation and output encoding on all web applications, especially those handling sensitive session tokens.

What This Means For You

  • If your organization uses Budibase, confirm you are running version 3.35.10 or higher. If not, patch immediately and audit for any suspicious session activity. This vulnerability turns any XSS into a direct account takeover.

Related ATT&CK Techniques

T1189 Drive-by Compromise Initial Access T1059.007 JavaScript Execution T1539 Steal Web Session Cookie Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1189 Initial Access

CVE-2026-42239 Budibase Account Takeover via XSS Cookie Manipulation

Sigma YAML — free preview 
title: CVE-2026-42239 Budibase Account Takeover via XSS Cookie Manipulation
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
  This rule detects attempts to exploit CVE-2026-42239 by observing web server logs for login POST requests that result in a redirect and contain the 'budibase:auth' cookie in the query string. This indicates a potential XSS attack where the attacker is trying to steal the JWT session token set with httpOnly: false.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42239/
tags:
  - attack.initial_access
  - attack.t1189
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/login'
      cs-method:
          - 'POST'
      sc-status:
          - '302'
      cs-uri-query|contains:
          - 'budibase:auth'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42239 Vulnerability CVE-2026-42239

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8098: SQL Injection in code-projects Feedback System 1.0

CVE-2026-8098 — A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8097 — CodeAstro Online Classroom SQL Injection

CVE-2026-8097 — A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-42449: n8n-MCP SSRF Bypasses IPv6 Checks

CVE-2026-42449 — n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /8.5 /⚑ 5 IOCs /⚙ 4 Sigma