CVE-2026-50132 is a high-severity cross-site request forgery (CSRF) vulnerability in @budibase/server (npm), affecting versions < 3.39.0. It is fixed in 3.39.0.
Title Chat Identity Link Hijacking, Attacker Can Silently Map Their Slack/Discord Identity to Any Authenticated Budibase User's Account Severity High, CVSS 3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N = 7.3 Affected Product Product: Budibase Version: 3.37.2 (introduced in this version) Component: packages/server/src/api/controllers/ai/chatIdentityLinks.ts Endpoint: GET /api/chat-links/:instance/:token/handoff Vulnerability Type CWE-352: Cross-Site Request Forgery CWE-284: Improper Access Control Vulnerability Description GET /api/chat-links/:instance/:token/handoff is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (Slack/Discord/MS Teams) to an authenticated Budibase user account, with no consent UI and no CSRF protection. The session token in the URL is created by the attacker (from their own /link slash command) and embeds the attacker's externalUserId. When an authenticated Budibase victim visits the URL, their account is silently and permanently linked to the attacker's Slack/Discord identity. The server responds with "Authentication succeeded.", no indication of what was linked. Route Registration Vulnerable Controller (full function) Proof of Concept, Annotated HTTP Trace Setup | Role | Identity | |---|---| | Attacker | Slack user UATTACKER (e.g. UA12345678), Budibase tenant acme, workspace ID wsabc123 | | Victim | Budibase admin, session cookie budibase:session=VICTIMSESSION | Step 1, Attacker triggers /link in Slack Attacker types /link to the Budibase Slack bot. Budibase server creates a Redis session: Redis key: chatIdentityLinkSession:tokxxxxxxxxxxxxxxxx Redis value (exact structure from ChatIdentityLinkSession interface): Slack DM sent privately to attacker: Key observation: This URL embeds the attacker's own externalUserId inside the token. The attacker has full control over which identity gets linked. Step 2, Attacker forwards URL to victim Attacker posts in the company Slack: Step 3, Victim clicks link (authenticated) HTTP Request (victim's browser): HTTP Response: The victim sees "Authentication succeeded." with no mention of Slack, no mention of attacker, no mention of what capabilities were granted. CouchDB global-db document written immediately after (exact structure from upsertChatIdentityLink): The mapping is now permanent. externalUserId = UA12345678 (attacker) → globalUserId = roglobalusVICTIMADMIN_ID (victim). Step 4, Attacker impersonates victim via AI agent Attacker sends any message to the Budibase Slack bot from their own account (UA12345678). The chat handler resolves the identity: The attacker can now ask the agent: "Show me all rows in the Customers table" "Trigger the 'Send Invoice' automation for customer ID 42" "What files are in the knowledge base?" Each request runs with the victim admin's identity and permissions. The victim has no indication this is happening. Step 3b, Variant: Victim Not Yet Authenticated If the victim is not currently logged in when they click the URL: HTTP Request: HTTP Response: After the victim logs in, the browser follows the return URL and the attack completes identically to Step 3. Impact | Dimension | Detail | |---|---| | Confidentiality | High, attacker reads all table rows, files, and knowledge base data accessible to victim | | Integrity | High, attacker writes rows and triggers automations (email, external API calls, record creation) as victim | | Availability | None | | Auth required | Low, attacker only needs a Slack/Discord account in the same workspace as the Budibase bot | | User interaction | Required, victim clicks one link (trivial social engineering in any enterprise Slack) | | Scope | Unchanged, impact is within the victim's Budibase tenant | | Persistence | Permanent, the link document persists in CouchDB until explicitly deleted; re-exploitation survives token rotation | Why Severity Is High (Not Medium) The social engineering bar is near zero in enterprise Slack: The link looks like a legitimate Budibase URL on the company domain The message pattern ("link your account for AI agent access") matches the product's own UX A victim who clicks and sees "Authentication succeeded." has no reason to be suspicious The effect is permanent and silent, the victim never learns their account was linked Combined with admin-level access to all application data and automation triggers, this meets the bar for High. Remediation Minimum Fix, Add Consent Page Convert the handoff to a two-step flow: Moving the write to POST removes it from publicRoutes, making Budibase's existing CSRF middleware apply automatically. Additional Hardening Show the externalUserName and provider on the consent page Log the event to the audit trail (both identities, timestamp, IP) Optionally restrict linking to users with explicit permission (not all roles) Credits, Vishal Kumar B https://github.com/VishaaLlKumaaRr References packages/server/src/api/routes/chat.ts:22, public route registration packages/server/src/api/controllers/ai/chatIdentityLinks.ts:61–110, full vulnerable controller packages/server/src/sdk/workspace/ai/chatIdentityLinks.ts:135–165, session creation (embeds attacker's externalUserId) packages/server/src/sdk/workspace/ai/chatIdentityLinks.ts:202–247, upsertChatIdentityLink (permanent write) packages/server/src/api/controllers/webhook/chatHandler.ts:421, identity resolution during agent message handling packages/server/src/ai/tools/budibase/automations.ts, automation trigger capability packages/server/src/ai/tools/budibase/rows.ts, row read/write capability packages/types/src/sdk/chatIdentityLinks.ts, session + link type definitions CWE-352: Cross-Site Request Forgery CWE-284: Improper Access Control
A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones. Typical impact: state-changing actions performed as the victim without their consent.
CVE-2026-50132 has a CVSS score of 7.3 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (3.39.0). Upgrading removes the vulnerable code path.
npm
@budibase/server (< 3.39.0)@budibase/server → 3.39.0 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-50132 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-50132 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-50132 in your environment →Upgrade @budibase/server to 3.39.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-50132 is a high-severity cross-site request forgery (CSRF) vulnerability in @budibase/server (npm), affecting versions < 3.39.0. It is fixed in 3.39.0. A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones.
CVE-2026-50132 has a CVSS score of 7.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
@budibase/server (npm) versions < 3.39.0 is affected.
Yes. CVE-2026-50132 is fixed in 3.39.0. Upgrade to this version or later.
Whether CVE-2026-50132 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade @budibase/server to 3.39.0 or later.