PatchSiren cyber security CVE debrief
CVE-2026-48150 Budibase CVE debrief
A critical privilege escalation vulnerability in Budibase allows workspace-scoped builders to grant themselves or others global administrator privileges. The flaw exists in the /api/public/v1/roles/assign endpoint, where the builderOrAdmin middleware permits access based on app-level builder status, but the underlying SDK grants global roles without additional verification. An attacker with workspace-scoped builder access and an Enterprise license featuring EXPANDED_PUBLIC_API can escalate from tenant-wide app-level permissions to full global administrative control via a single POST request. This represents a complete compromise of tenant security boundaries.
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Budibase versions prior to 3.39.0 with Enterprise licenses and enabled EXPANDED_PUBLIC_API feature. Security teams managing multi-tenant low-code platforms. Identity and access management administrators responsible for role segregation in builder environments. Compliance officers evaluating tenant isolation controls in SaaS applications.
Technical summary
The vulnerability stems from insufficient authorization checks in the role assignment flow. The builderOrAdmin middleware validates that the requester has builder status for the specified application via x-budibase-app-id header, accepting both global builders and workspace-scoped builders. However, the controller passes the entire request body to the SDK without validation, and the SDK processes builder.global=true or admin.global=true flags on arbitrary user IDs. This architectural gap between middleware authorization and SDK enforcement allows workspace-scoped builders—intended to have limited, app-specific permissions—to modify global role assignments across the entire tenant. The EXPANDED_PUBLIC_API feature flag, available with Enterprise licenses, exposes this vulnerable endpoint to API key authentication, expanding the attack surface beyond interactive sessions.
Defensive priority
critical
Recommended defensive actions
- Upgrade Budibase to version 3.39.0 or later immediately
- Audit existing user role assignments for unexpected global admin or global builder grants
- Review and restrict access to the EXPANDED_PUBLIC_API feature flag to only essential personnel
- Implement additional monitoring on /api/public/v1/roles/assign endpoint for anomalous role assignment requests
- Verify that workspace-scoped builders cannot access role modification capabilities beyond their intended scope
- Conduct tenant-wide review of API key distribution and usage patterns
Evidence notes
Vulnerability confirmed through GitHub Security Advisory. Affected versions: prior to 3.39.0. Fixed in version 3.39.0. CVSS 3.1 score: 9.0 (Critical). Attack vector: network-based, low complexity, requires high privileges (workspace builder), no user interaction, scope change, high impact to confidentiality and integrity, low impact to availability.
Official resources
-
CVE-2026-48150 CVE record
CVE.org
-
CVE-2026-48150 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27