top of page
perceptive_background_267k.jpg

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, a…

Published:

26 mei 2026 om 22:00:00

Alert date:

27 mei 2026 om 19:08:13

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Identity & Access

Budibase open-source low-code platform contains a privilege escalation vulnerability in versions prior to 3.38.1. The POST /api/global/users/onboard endpoint allows builder-level users to bypass admin-restricted invite flow when SMTP email is not configured (default for self-hosted instances). Attackers can create new global admin accounts with arbitrary role assignments and receive generated passwords in response, achieving full privilege escalation. The vulnerability is fixed in version 3.38.1.

Technical details

Mitigation steps:

Affected products:

Budibase

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-45716
https://github.com/Budibase/budibase/releases/tag/3.38.1
https://github.com/Budibase/budibase/security/advisories/GHSA-c54j-xp92-wh28

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page