NVD CRITICAL: CVE-2026-50137 — Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous atta...
Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can call this endpoint with no auth and obtain a 15-minute pre-signed PUT URL minted on the victim's IAM identity. The endpoint also returns the publicUrl so the attacker knows exactly where their PUT lands. Because bucket
CVE-2026-50137