GHSA-v7j5-vc4m-723w: Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF
highvulnerability
security
Summary
Budibase versions up to 3.37.2 have a high-severity account impersonation vulnerability in the chat identity linking feature. An attacker can trick an authenticated user into visiting a specially crafted URL that silently links the victim's Budibase account to the attacker's external chat identity (Slack, Discord, or MS Teams) without requiring the victim's consent or CSRF protection (a token that verifies the user actually intended to perform the action). This allows the attacker to impersonate the victim in chat integrations.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
June 22, 2026
Classification
Attack SophisticationModerate
Affected Packages
@budibase/server@< 3.39.0 (fixed: 3.39.0)
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-v7j5-vc4m-723w
First tracked: June 22, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 95%