CVE-2026-48150 - Vulnerability Details

- Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign

Description

Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature. This vulnerability is fixed in 3.39.0.

Published: 2026-05-27

Score: 9 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

While operating the Budibase low‑code platform, the /api/public/v1/roles/assign endpoint was protected only by a middleware that allowed any user with a builder role for a specified app ID to authenticate. The backend then forwarded the request body to an SDK call that could set a user’s builder.global or admin.global flag without further checks. Consequently, a workspace‑scoped builder who had an API key could elevate themselves or any other user to a global administrator with a single POST request, effectively granting overarching control across the tenant.

Affected Systems

All Budibase installations running a version earlier than 3.39.0 that have the EXPANDED_PUBLIC_API feature enabled, typically requiring an Enterprise license, are affected. Any application deployed within such an instance and any user possessing a builder role for an app can exploit this flaw.

Risk and Exploitability

The CVSS score of 9 indicates a critical severity. Although the EPSS score is not available, the flaw is reachable remotely through the public API and provides direct full‑tenant control. The vulnerability is not listed in the CISA KEV catalog, but its potential for widespread impact and the lack of mitigation mechanisms make it highly dangerous. Anyone who can obtain or guess an API key for a workspace‑scoped builder can exploit this flaw.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Budibase

budibase

affected

Version	Status	Constraints
`< 3.39.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch included in Budibase version 3.39.0 or later.
Disable the EXPANDED_PUBLIC_API feature until the patch is applied or restrict its usage to trusted administrators.
Consider temporarily blocking or hard‑coding the /api/public/v1/roles/assign endpoint, and review all existing API keys to ensure only necessary accounts retain access.

Generated by OpenCVE AI on May 27, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Budibase/budibase/security/advisories/GHSA-6xp4-cf37-ppjh

History

Wed, 27 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature. This vulnerability is fixed in 3.39.0.
Title		Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
Weaknesses		CWE-915
References		https://github.com/Budibase/budibase/security/advisories/GHSA-6xp4-cf37-ppjh
Metrics		cvssV3_1 `{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T16:58:18.979Z

Updated: 2026-05-27T17:57:41.445Z

Reserved: 2026-05-20T23:12:43.030Z

Link: CVE-2026-48150

Vulnrichment

Updated: 2026-05-27T17:56:00.714Z

NVD

Status : Deferred

Published: 2026-05-27T18:16:27.463

Modified: 2026-05-27T19:44:35.987

Link: CVE-2026-48150

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses

CWE-915

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object