js · @budibase/serverCritical
@budibase/server webhook mass assignment vulnerability allows appId overwrite
A mass assignment vulnerability in the webhook trigger endpoint allows an attacker to overwrite the internal `appId` property by including it in the webhook POS
What changed
A mass assignment vulnerability in the webhook trigger endpoint allows an attacker to overwrite the internal `appId` property by including it in the webhook POST body, causing the automation to execute in the victim's workspace context.
Who it affects
All Budibase instances with webhook automations; any workspace with a webhook trigger is vulnerable. Attackers with builder access to any workspace on the same instance can compromise other workspaces.
What to do today
Apply the recommended fix: ensure `appId` is server-controlled before queuing the async automation job, or use an allowlist for webhook field spread.
The trail
Collected→
Audited→
Written→
Published