Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available.
Published: 2026-01-29
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Assess Impact
AI Analysis

Impact

In Budibase versions up to and including 3.26.3, a Creator-level user can alter API requests to invite any new user with any organization role, including Admin, Creator, or App Viewer. This bypasses the UI restriction that normally denies creators the ability to invite users, enabling the attacker to grant themselves or another user full administrative control over the workspace or entire organization. The vulnerability represents a classic case of insufficient access control (CWE-863) and can lead to complete takeover of the system.

Affected Systems

The affected product is Budibase, a low‑code platform for internal tools and admin panels. All installations running versions up to and including 3.26.3 are vulnerable; the issue is not limited to any specific deployment scenario.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate severity level, and the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, reducing its current threat visibility. Bypassing UI restrictions via crafted API calls is inferred as the attack vector; the attacker needs only network access to the API endpoint, making the attack possible over the internet or private networks.

Generated by OpenCVE AI on April 18, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the ability for Creator-level users to invite new users via the API until a fix is released or the platform is upgraded to a version where this feature is restricted.
  • Apply a patch or upgrade Budibase to a future version once an official fix becomes available.
  • Implement network-level controls or rate limiting on the API to restrict unauthorized or excessive invitation requests.
  • Configure audit logging for all user invitation events and monitor for anomalous activity, focusing on invitations issued by Creator roles.

Generated by OpenCVE AI on April 18, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Thu, 29 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available.
Title Budibase Vulnerable to Privilege Escalation via API Abuse – Creator Can Invite Users with Admin/Any Role
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-02T16:35:49.534Z

Reserved: 2026-01-28T14:50:47.886Z

Link: CVE-2026-25040

cve-icon Vulnrichment

Updated: 2026-01-30T14:38:51.378Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T22:15:55.347

Modified: 2026-03-03T15:19:21.950

Link: CVE-2026-25040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses