js · @budibase/serverCritical
@budibase/server: Unauthenticated webhook schema update vulnerability
The webhook schema-building endpoint at POST /api/webhooks/schema/:instance/:id is incorrectly bypassed by authorization middleware, allowing unauthenticated us
What changed
The webhook schema-building endpoint at POST /api/webhooks/schema/:instance/:id is incorrectly bypassed by authorization middleware, allowing unauthenticated users to update webhook body schemas and automation trigger output schemas.
Who it affects
All Budibase instances with webhook-backed automations; any unauthenticated attacker with a known webhook ID can modify schema data.
What to do today
Apply the fix by removing the schema path from the WEBHOOK_ENDPOINTS regex or adding explicit authorization checks for the schema-building endpoint.
The trail
Collected→
Audited→
Written→
Published