Budibase open-source low-code platform contains a privilege escalation vulnerability (CVE-2026-48150) affecting versions prior to 3.39.0. The vulnerability exists in the /api/public/v1/roles/assign endpoint which is protected by builderOrAdmin middleware that incorrectly allows workspace-scoped builders to escalate privileges. An attacker with a workspace-scoped builder role and API key can promote themselves or other users to global admin status through a single POST request. This tenant-wide privilege escalation affects users with Enterprise licenses that have the EXPANDED_PUBLIC_API feature enabled. The vulnerability has been patched in version 3.39.0.