Description
Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation. This vulnerability is fixed in 3.38.1.
Published: 2026-05-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a user with builder permissions to exploit the POST /api/global/users/onboard endpoint when SMTP email is not configured. In this scenario the endpoint bypasses the normal admin‑restricted invite flow and creates users with roles directly taken from the request body. A builder can therefore create a new global admin account and receive the generated password in the response, achieving full administrative privileges.

Affected Systems

All Budibase installations running a version prior to 3.38.1 with the default self‑hosted configuration that lacks SMTP configuration are affected. The issue is present in the Budibase platform product, specifically any deployment where the builder role is granted and SMTP is omitted.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. Although no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the attack surface is relatively narrow—only requiring a builder‑level session—and the exploitation path is straightforward through the API. The likely attack vector is an authenticated POST request to the onboardUsers endpoint from any builder‑level user. Given the ease of exploitation and the potential for full admin control, the risk remains high for affected environments.

Generated by OpenCVE AI on May 27, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Budibase version 3.38.1 or later, which removes the unauthenticated privilege escalation.
  • If an immediate upgrade is not possible, disable or block the POST /api/global/users/onboard endpoint for builder users through your reverse‑proxy or firewall so that builder accounts cannot reach it.
  • Configure an SMTP server on the instance; when SMTP is present the onboarding flow requires admin authorization and prevents builder users from creating accounts with elevated roles.

Generated by OpenCVE AI on May 27, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c54j-xp92-wh28 Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration
History

Thu, 28 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation. This vulnerability is fixed in 3.38.1.
Title Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:34:27.255Z

Reserved: 2026-05-13T05:51:48.666Z

Link: CVE-2026-45716

cve-icon Vulnrichment

Updated: 2026-05-27T18:33:59.295Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:25.570

Modified: 2026-05-27T20:16:39.200

Link: CVE-2026-45716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses
  • CWE-269

    Improper Privilege Management