Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: r…

Budibase, an open-source low-code platform, contains a critical authentication bypass vulnerability in versions prior to 3.38.2. The SCIM router in packages/worker/src/api/routes/global/scim.ts lacks proper role-based access controls, allowing any authenticated user with basic privileges to access SCIM endpoints. This enables unauthorized users to perform CRUD operations on all users and groups within the tenant. The vulnerability affects the worker component and bypasses intended access restrictions. A fix has been released in version 3.38.2 that addresses the missing role check middleware.