Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user wh…

Budibase open-source low-code platform contains a privilege escalation vulnerability in versions prior to 3.39.0. The /api/public/v1/roles/assign endpoint allows workspace-scoped builders with API keys to escalate privileges to global admin through improper middleware validation. The vulnerability affects the builderOrAdmin middleware which incorrectly processes the x-budibase-app-id header. Attackers can exploit this to gain tenant-wide administrative access from app-level roles. The issue is specific to Enterprise license holders with EXPANDED_PUBLIC_API feature enabled. Fixed in version 3.39.0.