Listen to this Post
How the CVE Works
This vulnerability resides in Budibase’s AI chat identity linking feature, specifically in the `GET /api/chat-links/:instance/:token/handoff` endpoint. The endpoint is registered as a public route (publicRoutes) in packages/server/src/api/routes/chat.ts:22, meaning it requires no authentication middleware. When a user triggers the `/link` slash command in Slack (or Discord/MS Teams), the server creates a Redis session containing the attacker’s `externalUserId` (e.g., their Slack ID) and returns a URL embedding that session token.
The critical flaw is that the `handoffChatLinkSession` controller (packages/server/src/api/controllers/ai/chatIdentityLinks.ts:61–110) performs a permanent, state-changing write operation—upsertChatIdentityLink()—on a `GET` request with no CSRF protection and no consent UI. When an authenticated victim visits the attacker‑crafted URL, the controller extracts the token, retrieves the session (which contains the attacker’s external identity), and silently binds that external identity to the victim’s Budibase globalUserId.
The server responds with a generic “Authentication succeeded.” HTML page, giving the victim no indication that their account was linked to an attacker’s Slack/Discord identity. If the victim is not authenticated at the time of the click, the endpoint sets a return URL cookie and redirects to login; after successful authentication, the attack completes identically.
Once the link is established (stored permanently in CouchDB), the attacker can send messages to the Budibase Slack bot from their own account. The chat handler resolves the attacker’s `externalUserId` to the victim’s `globalUserId` and executes all agent tool calls (row reads/writes, automation triggers) with the victim’s permissions—silently and permanently. The social engineering bar is near zero because the URL is on the company domain and matches the product’s legitimate UX flow.
DailyCVE Form:
Platform: Budibase
Version: 3.37.2
Vulnerability: Chat Identity Hijacking
Severity: High (CVSS 7.3)
Date: 2026-05-02
Prediction: 2026-05-20 (patched in 3.39.0)
What Undercode Say:
Check if endpoint is exposed (unauthenticated) curl -v https://budibase.company.com/api/chat-links/ws_abc123/tok_xxxxxxxxxxxxxxxx/handoff Inspect session in Redis (requires Redis access) redis-cli GET "chatIdentityLinkSession:tok_xxxxxxxxxxxxxxxx" Query CouchDB for existing links (requires CouchDB access) curl http://couchdb:5984/global-db/_design/chat/_view/by_provider?key=\["slack","T_ACME_SLACK","UA12345678"]
Code snippet of vulnerable controller (abridged):
// packages/server/src/api/controllers/ai/chatIdentityLinks.ts:61–110
export async function handoffChatLinkSession(ctx: UserCtx) {
const token = resolveToken(ctx.params.token)
const session = await sdk.ai.chatIdentityLinks.getChatIdentityLinkSession(token)
if (!ctx.isAuthenticated) {
utils.setCookie(ctx, <code>/api/chat-links/${ctx.params.instance}/${token}/handoff</code>, "budibase:returnurl", { sign: false })
ctx.redirect("/builder/auth/login")
return
}
const currentGlobalUserId = getCurrentGlobalUserId(ctx)
const consumedSession = await sdk.ai.chatIdentityLinks.consumeChatIdentityLinkSession(token)
// ⚠️ NO consent check, NO CSRF token — permanent write on GET
await sdk.ai.chatIdentityLinks.upsertChatIdentityLink({
provider: consumedSession.provider,
externalUserId: consumedSession.externalUserId, // ← Attacker's Slack ID
globalUserId: currentGlobalUserId, // ← Victim's Budibase ID
linkedBy: currentGlobalUserId,
})
ctx.body = renderLinkSuccessPage() // "Authentication succeeded."
}
Exploit:
- Attacker triggers `/link` in Slack → receives URL containing their own `externalUserId` embedded in the token.
- Attacker forwards URL to victim via social engineering (e.g., “please click to connect your Budibase account for AI agent access”).
- Victim clicks (authenticated or redirected through login) → endpoint silently links attacker’s Slack identity to victim’s Budibase account.
- Attacker messages the Budibase Slack bot → chat handler resolves to victim’s
globalUserId. - Attacker issues commands (e.g., “Show all rows in Customers table”, “Trigger Send Invoice automation”) → executed with victim admin privileges.
HTTP Trace (authenticated victim):
GET /api/chat-links/ws_abc123/tok_xxxxxxxxxxxxxxxx/handoff HTTP/1.1 Host: budibase.company.com Cookie: budibase:session=VICTIM_SESSION HTTP/1.1 200 OK Content-Type: text/html Authentication succeeded.
CouchDB document written:
{
"_id": "chatidentitylink_acme_slack_T_ACME_SLACK_UA12345678",
"provider": "slack",
"externalUserId": "UA12345678", // ← Attacker
"globalUserId": "ro_global_us_VICTIM_ADMIN_ID", // ← Victim
"linkedBy": "ro_global_us_VICTIM_ADMIN_ID"
}
Protection:
- Upgrade to Budibase 3.39.0 or later, which includes the fix.
- Apply the minimum fix: convert the handoff to a two-step flow with a consent page (
GETshows consent, `POST` performs write with CSRF token). - Additional hardening: display `externalUserName` and provider on the consent page; log the event to the audit trail; restrict linking to users with explicit permission.
- Workaround: temporarily disable the AI chat feature or restrict access to the `/api/chat-links/` endpoint via reverse‑proxy rules (e.g.,
location /api/chat-links/ { deny all; }).
Impact:
| Dimension | Detail |
|–|–|
| Confidentiality | High — attacker reads all table rows, files, and knowledge base data accessible to victim |
| Integrity | High — attacker writes rows and triggers automations (email, external API calls, record creation) as victim |
| Availability | None |
| Auth Required | Low — attacker only needs a Slack/Discord account in the same workspace as the Budibase bot |
| User Interaction | Required — victim clicks one link (trivial social engineering in enterprise Slack) |
| Scope | Unchanged — impact is within the victim’s Budibase tenant |
| Persistence | Permanent — the link document persists in CouchDB until explicitly deleted; re‑exploitation survives token rotation |
Credits: Vishal Kumar B (https://github.com/VishaaLlKumaaRr)
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
