Budibase’s Forgot Password endpoint lacks any form of request throttling or abuse prevention. As a result, an unauthenticated attacker can repeatedly submit reset requests for the same e‑mail address, causing the system to send an excessive number of password‑reset emails. The volume of messages can overwhelm user inboxes, trigger spam filters, and create a denial‑of‑service against the affected user’s mail account. This constitutes a business‑logic weakness that can lead to user harassment and reputational damage for the platform provider.

All users running Budibase before the 3.23.25 release are affected, regardless of deployment environment. The weakness resides in the open‑source low‑code platform’s API layer, making every publicly reachable instance vulnerable if it has the unpatched reset endpoint available. No specific platform segment is exempt; the exploit can be attempted by anyone with internet access.

The CVSS base score of 5.3 places the issue in the medium‑severity range, reflecting moderate impact on availability. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. Nevertheless, the absence of authentication requirements and the lack of rate‑limiting make the attack trivial once the target is known. A potential attacker can issue repeated requests in a loop, causing rapid email flooding without needing any further prerequisites.