CVE-2026-45716 Budibase CVE debrief

Who should care

Organizations running self-hosted Budibase instances prior to 3.38.1, particularly those with multiple builder-level users or without SMTP email configured. Security teams responsible for low-code platform governance and identity management infrastructure.

Technical summary

The vulnerability exists in the POST /api/global/users/onboard endpoint which uses workspaceBuilderOrAdmin middleware instead of stricter admin-only protection. When SMTP is unconfigured (default for self-hosted deployments), the endpoint calls bulkCreate directly rather than routing through the admin invite flow. The request body accepts arbitrary role assignments including 'admin', and the response includes the auto-generated password. This allows a builder-authenticated attacker to create a new global administrator account and immediately authenticate with the returned credentials, achieving complete privilege escalation from builder to global admin.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Budibase to version 3.38.1 or later to remediate this vulnerability
• If immediate patching is not possible, restrict builder-level user assignments to trusted personnel only
• Review existing user accounts for unauthorized admin-level access created through the vulnerable endpoint
• Enable and configure SMTP email for user invitations to enforce the intended admin-restricted invite flow
• Audit application logs for POST requests to /api/global/users/onboard with elevated role assignments
• Implement network-level access controls to limit exposure of Budibase administrative endpoints to authorized administrative hosts only

Evidence notes

CVE description confirms the endpoint protection bypass and privilege escalation mechanism. GitHub Security Advisory GHSA-c54j-xp92-wh28 and release 3.38.1 provide fix confirmation. CVSS 8.8 (HIGH) reflects network attack vector with low attack complexity and high impact to confidentiality, integrity, and availability.

Official resources