PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46424 Budibase CVE debrief

Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache (TTL: 3600 seconds), a user whose admin, builder, or app-level roles have been revoked via the public API retains those privileges for up to 1 hour. This vulnerability is fixed in 3.38.2.

Vendor
Budibase
Product
Unknown
CVSS
MEDIUM 4.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running self-hosted Budibase instances prior to version 3.38.2, particularly those with automated role management workflows using the public API. Security teams responsible for identity and access management in low-code platforms, as well as administrators who rely on timely revocation of elevated privileges for compliance or operational security purposes.

Technical summary

The vulnerability exists in Budibase's public API role unassignment endpoint (POST /api/public/v1/roles/unassign). When this endpoint is invoked to revoke admin, builder, or app-level roles from a user, the system updates the user document in CouchDB but fails to invalidate or clear the corresponding entry in the Redis user cache. The authentication middleware relies on this Redis cache to resolve user identity and permissions, with entries having a time-to-live (TTL) of 3600 seconds (1 hour). Consequently, a user whose roles have been revoked continues to possess those privileges until the cache entry expires naturally, creating a window of unauthorized access. This represents an instance of CWE-269 (Improper Privilege Management) due to the failure to synchronize authorization state across data stores.

Defensive priority

MEDIUM

Recommended defensive actions

  • Upgrade Budibase to version 3.38.2 or later to remediate the cache invalidation vulnerability
  • Review and audit recent role unassignment operations performed via the public API to identify potentially affected user sessions
  • Consider reducing Redis user cache TTL values temporarily if immediate patching is not feasible, while planning for upgrade
  • Monitor authentication logs for anomalous access patterns from users who recently had roles revoked
  • Validate that role-based access control enforcement is functioning as expected after applying the patch

Evidence notes

The vulnerability was disclosed via GitHub Security Advisory GHSA-6vp2-6r7m-2jvx and patched in Budibase release 3.38.2. The issue involves a cache invalidation failure in the Redis user cache when role unassignments are processed through the public API, with a documented TTL of 3600 seconds.

Official resources

2026-05-27