CVE-2026-46425 - Vulnerability Details

- Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users

Description

Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context). There is no role check. Any authenticated user who reaches the worker (BASIC role, workspace-scoped builder, anyone) can call SCIM endpoints and CRUD every user and group in the tenant. This vulnerability is fixed in 3.38.2.

Published: 2026-05-27

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Any authenticated user, including those with BASIC role or workspace-scoped builder, can call the SCIM endpoints and perform create, read, update, and delete operations on any user or group within the tenant. This lack of role-based authorization grants the attacker broad access to tenant user data and allows manipulation of accounts, compromising confidentiality, integrity, and potentially availability. The vulnerability is a classic authorization bypass, identified as CWE-862.

Affected Systems

Budibase installations using any version of the platform before release 3.38.2 are impacted. The issue resides in the packages/worker/src/api/routes/global/scim.ts module, which only enforces the SCIM feature flag and request context but does not impose any role check. Therefore every authenticated user, regardless of role, can reach these endpoints and perform CRUD operations on tenant users and groups.

Risk and Exploitability

With a CVSS score of 9.9 the vulnerability is considered Critical. The EPSS score is not available, but the absence of an EPSS does not diminish the high severity rating. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a direct HTTP request to the SCIM API endpoints from any authenticated user, with no additional prerequisites beyond authentication. Once accessed, the attacker can manipulate tenant users and groups without restriction.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Budibase

budibase

affected

Version	Status	Constraints
`< 3.38.2`	affected	—

No data.

Vendor Product Confidence Versions

Budibase

100%

Version	Status	Scheme	Platform
`[0,3.38.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official Budibase patch by upgrading to version 3.38.2 or later
If immediate upgrade is not feasible, disable the SCIM feature through configuration or environment settings to block access to the vulnerable endpoints
Restrict network exposure to the worker endpoint by implementing firewall rules or access controls to allow only trusted IP ranges or internal traffic

Generated by OpenCVE AI on May 27, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00286.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Budibase/budibase/releases/tag/3.38.2
https://github.com/Budibase/budibase/security/advisories/GHSA-q9rw-q89f-jx2f

History

Thu, 28 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Budibase Budibase budibase
Vendors & Products		Budibase Budibase budibase

Wed, 27 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context). There is no role check. Any authenticated user who reaches the worker (BASIC role, workspace-scoped builder, anyone) can call SCIM endpoints and CRUD every user and group in the tenant. This vulnerability is fixed in 3.38.2.
Title		Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users
Weaknesses		CWE-862
References		https://github.com/Budibase/budibase/releases/tag/3.38.2 https://github.com/Budibase/budibase/security/advisories/GHSA-q9rw-q89f-jx2f
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Budibase Budibase

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T17:06:36.081Z

Updated: 2026-05-28T18:46:31.717Z

Reserved: 2026-05-13T22:18:22.829Z

Link: CVE-2026-46425

Vulnrichment

Updated: 2026-05-27T18:37:27.367Z

NVD

Status : Deferred

Published: 2026-05-27T18:16:26.330

Modified: 2026-06-17T10:53:39.710

Link: CVE-2026-46425

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object