Free storage on any bubble app?

It looks like anyone can upload files to any bubble app using a Post on the /fileupload endpoint.
I’m concerned that this could be some exploit.

Here are a couple of examples. One in bubble.io own instance, and another in an app of mine.

Both successfully returned a file URL and the code is not set to provide any authentication. I get this is to allow anonymous users, for instance, to upload files. But I think that should be only where intended, not for any post request.

1 Like

Yes unfortunately they still haven’t patched this :man_facepalming:t3:

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.