PatchSiren cyber security CVE debrief

CVE-2026-46425 Budibase CVE debrief

A critical authorization bypass vulnerability in Budibase's SCIM (System for Cross-domain Identity Management) implementation allows any authenticated user to perform full CRUD operations on all users and groups within a tenant. The vulnerability exists because the SCIM router in packages/worker/src/api/routes/global/scim.ts only applies two middleware checks—requireSCIM (Enterprise feature flag and SCIM configuration validation) and doInScimContext (SCIM request context setup)—without any role-based access control. This means users with BASIC roles, workspace-scoped builders, or any other authenticated identity who can reach the worker service can exploit SCIM endpoints to create, read, update, and delete arbitrary user accounts and groups across the entire tenant. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects network accessibility, low attack complexity, low privileges required, no user interaction, changed scope, and high impacts across confidentiality, integrity, and availability. The vulnerability is classified under CWE-862 (Missing Authorization). Budibase addressed this issue in version 3.38.2, released on May 27, 2026. Organizations running affected versions should prioritize upgrading to 3.38.2 or later, particularly those with SCIM enabled for identity synchronization.

Vendor: Budibase
Product: Unknown
CVSS: CRITICAL 9.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Organizations using Budibase for internal application development with SCIM-enabled identity synchronization, particularly multi-tenant deployments or environments with mixed-role user bases. Security teams managing low-code platform governance and identity architects relying on SCIM for automated user provisioning should prioritize this patch.

Technical summary

The Budibase worker service's SCIM router (packages/worker/src/api/routes/global/scim.ts) fails to implement role-based access control, permitting any authenticated user to invoke SCIM endpoints for cross-tenant user and group management. The middleware chain only validates Enterprise licensing and establishes request context without verifying administrative privileges. This architectural gap enables privilege escalation from BASIC or builder roles to full identity provider capabilities. The fix in 3.38.2 adds appropriate authorization checks to the SCIM route handlers.

Defensive priority

critical

Recommended defensive actions

Upgrade Budibase to version 3.38.2 or later to remediate the missing authorization check in SCIM endpoints.
If immediate patching is not feasible, consider disabling SCIM functionality temporarily to eliminate the attack surface, accepting potential disruption to identity synchronization workflows.
Review tenant user and group configurations for unauthorized changes if SCIM was enabled during the vulnerable period.
Audit access logs for SCIM endpoint activity from non-administrative user accounts to detect potential exploitation.
Verify that role-based access controls are properly enforced on all administrative and identity management endpoints after upgrading.

Evidence notes

Vulnerability description sourced from official CVE record and GitHub Security Advisory GHSA-q9rw-q89f-jx2f. Fix version 3.38.2 confirmed via GitHub release tag. CVSS 3.1 vector and CWE-862 classification from NVD source data.

Official resources

2026-05-27