CVE-2026-50137 - Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials
CVE ID :CVE-2026-50137 Published : June 26, 2026, 8:41 p.m. | 4 hours, 30 minutes ago Description :Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can call this...