Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who should have no permissions to manage users or organizational roles, can instead promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or modify the Owner’s account details and all orders (e.g., change name). This is because the API accepts these actions without validating the requesting role, a Creator can replay Owner-only requests using their own session tokens. This leads to full tenant compromise.
Published: 2026-03-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation with full tenant compromise
Action: Immediate Patch
AI Analysis

Impact

A Creator-level user can exploit missing server‑side role checks on the /api/global/users API to promote or demote users and alter owner account details, effectively gaining full tenant control. This flaw combines vertical privilege escalation with an insecure direct object reference, allowing a low‑privileged account to perform actions reserved for higher‑level roles without validation. The impact is a compromise of confidentiality, integrity, and availability for the entire tenant.

Affected Systems

Budibase, a low‑code platform for internal tools, is the affected product. The vulnerability applies to all deployments of Budibase where the /api/global/users endpoints are accessible, regardless of specific version numbers as none were disclosed.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating high severity. The EPSS score is less than 1%, suggesting exploitation is unlikely at present, yet the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The likely attack vector is internal user compromise: a legitimate Creator account can use normal session tokens to replay Owner‑only requests. Successful exploitation leads to full tenant compromise, making rapid remediation crucial.

Generated by OpenCVE AI on April 16, 2026 at 10:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Budibase release that includes server‑side RBAC checks for the /api/global/users endpoints
  • Revoke or re‑align Creator privileges to remove ability to manage user roles or organisational settings
  • Monitor user activity logs for unauthorized role changes and enforce least‑privilege controls until the patch is deployed

Generated by OpenCVE AI on April 16, 2026 at 10:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who should have no permissions to manage users or organizational roles, can instead promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or modify the Owner’s account details and all orders (e.g., change name). This is because the API accepts these actions without validating the requesting role, a Creator can replay Owner-only requests using their own session tokens. This leads to full tenant compromise.
Title Budibase Critical Privilege Escalation & IDOR via Missing RBAC on User Role Management (Creator-Role)
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:34:21.488Z

Reserved: 2026-01-28T14:50:47.886Z

Link: CVE-2026-25045

cve-icon Vulnrichment

Updated: 2026-03-09T20:31:33.750Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T21:16:15.173

Modified: 2026-03-13T19:21:13.780

Link: CVE-2026-25045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses