What is the CVSS score of CVE-2026-25040?

CVE-2026-25040 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Budibase are affected by CVE-2026-25040?

CVE-2026-25040 is a high-severity vulnerability in Budibase affecting internal tool and workflow platforms.

Is there a public PoC exploit available for CVE-2026-25040?

Yes, a public proof-of-concept exploit is available for CVE-2026-25040. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-25040?

Within 24 hours: Inventory all Budibase deployments and assess exposure; implement network segmentation to restrict access to Budibase instances. Within 7 days: Apply compensating controls including WAF rules to block malicious payloads, disable non-essential Budibase features if possible, and restrict user access to least-privilege basis. Within 30 days: Monitor vendor for patch release and prepare emergency patching procedure; consider alternative low-code platforms if patch timeline extends beyond acceptable risk tolerance.

Budibase CVE-2026-25040

HIGH

Incorrect Authorization (CWE-863)

2026-01-29 security-advisories@github.com

Privilege Escalation Budibase

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

PoC Detected

Mar 03, 2026 - 15:19 vuln.today

Public exploit code

CVE Published

Jan 29, 2026 - 22:15 nvd

HIGH 8.8

DescriptionGitHub Advisory

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available.

AnalysisAI

Budibase is a low code platform for creating internal tools, workflows, and admin panels. [CVSS 8.8 HIGH]

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as Creator-level user

Delivery

Intercept user invitation API request

Exploit

Modify request to assign Admin role

Execution

Submit manipulated API call

Impact

Attacker gains admin privileges

Access

Authenticate as Creator-level user

Delivery

Intercept user invitation API request

Exploit

Modify request to assign Admin role

Execution

Submit manipulated API call

Impact

Attacker gains admin privileges

Vulnerability AssessmentAI

Exploitation	Creator-level user account in Budibase versions up to 3.26.3 with network access to the application API. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker (requires authentication) could exploit this vulnerability to complete takeover of the workspace or organization.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Budibase deployments and assess exposure; implement network segmentation to restrict access to Budibase instances. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25040 vulnerability details – vuln.today

Back

Budibase CVE-2026-25040

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code