A missing cache invalidation on Budibase’s public API role unassignment endpoint means that when an admin, builder or app‑level role is removed via POST /api/public/v1/roles/unassign, the updated user document in CouchDB is not reflected in the Redis cache that the authentication middleware consults for permission resolution. Because the cache entry remains valid for 3600 seconds, an affected user keeps the revoked privileges for up to an hour, even after the unassignment request has succeeded. This flaw is a typical privilege escalation condition, identified as CWE‑269, where the system fails to revoke privileges promptly after a change in user authorization data.

Budibase open‑source low‑code platform versions prior to 3.38.2 are affected. The vulnerability was fixed in release 3.38.2, as announced by the Budibase team and documented in their GitHub release notes and security advisory.

The CVSS score of 4.2 indicates low severity, and the EPSS score is not available, suggesting a low probability of exploitation at this time. Budibase is not listed in the CISA KEV catalog, further supporting a low threat level. However, the attack vector is likely through the public API; any authenticated user who had privileged roles revoked will experience a privilege retention window. An attacker could deliberately revoke themselves or a compromised account's roles to exploit this window, but doing so requires valid credentials, limiting the attack surface.