Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware t…

Budibase low-code platform versions 3.31.4 and earlier contain a critical authentication bypass vulnerability in the authorized() middleware. The vulnerability allows remote attackers to bypass all authentication, authorization, role checks, and CSRF protection by appending webhook path patterns to query strings. The isWebhookEndpoint() function uses an unanchored regex against the full URL including query parameters, causing the middleware to skip security controls when webhook patterns are detected. Attackers can exploit this by appending ?/webhooks/trigger or similar patterns to access any server-side API endpoint without authentication.