CVE-2026-42239: Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover

April 24, 2026 (updated May 4, 2026)

The budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. Given that Budibase has had XSS vulnerabilities (GHSA-gp5x-2v54-v2q5 — stored XSS via unsanitized entity names, published April 2, 2026), this means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim’s account.

The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute.

References

github.com/Budibase/budibase
github.com/Budibase/budibase/releases/tag/3.35.10
github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r
github.com/advisories/GHSA-4f9j-vr4p-642r
nvd.nist.gov/vuln/detail/CVE-2026-42239

Code Behaviors & Features

Detect and mitigate CVE-2026-42239 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →