Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context). There is no role check. Any authenticated user who reaches the worker (BASIC role, workspace-scoped builder, anyone) can call SCIM endpoints and CRUD every user and group in the tenant. This vulnerability is fixed in 3.38.2.
AnalysisAI
Privilege escalation via missing authorization in Budibase before 3.38.2 lets any authenticated user — including low-privilege BASIC accounts and workspace-scoped builders — reach the worker's SCIM API and perform full CRUD on every user and group in the tenant. The SCIM router only enforced an Enterprise feature flag and SCIM context, never a role/admin check, so identity-management operations meant for administrators were exposed to all sessions. Fixed in 3.38.2; no public exploit identified at time of analysis, but the trivial nature of the flaw (a single missing middleware) makes it easy to weaponize once known.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32598