What is the CVSS score of CVE-2026-46425?

CVE-2026-46425 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Budibase are affected by CVE-2026-46425?

Budibase versions before 3.38.2 contain a critical privilege escalation flaw that allows any authenticated user - including low-privilege accounts - to perform administrative actions on all users and…. A patch is available.

How to fix or mitigate CVE-2026-46425?

24 hours: Verify your Budibase version and assess which users have authentication access. If running 3.38.1 or earlier, apply network-level restrictions to SCIM API endpoints. 7 days: Upgrade all affected Budibase instances to version 3.38.2 or later according to vendor upgrade procedures. 30 days: Audit Budibase logs for unauthorized user or group modifications and validate administrative access controls are properly enforced post-upgrade.

Budibase CVE-2026-46425

EUVD-2026-32598 CRITICAL

Missing Authorization (CWE-862)

2026-05-27 security-advisories@github.com

Authentication Bypass

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 27, 2026 - 19:51 vuln.today

Analysis Generated

May 27, 2026 - 19:51 vuln.today

Patch available

May 27, 2026 - 19:46 EUVD

DescriptionNVD

Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context). There is no role check. Any authenticated user who reaches the worker (BASIC role, workspace-scoped builder, anyone) can call SCIM endpoints and CRUD every user and group in the tenant. This vulnerability is fixed in 3.38.2.

AnalysisAI

Privilege escalation via missing authorization in Budibase before 3.38.2 lets any authenticated user — including low-privilege BASIC accounts and workspace-scoped builders — reach the worker's SCIM API and perform full CRUD on every user and group in the tenant. The SCIM router only enforced an Enterprise feature flag and SCIM context, never a role/admin check, so identity-management operations meant for administrators were exposed to all sessions. …

RemediationAI

24 hours: Verify your Budibase version and assess which users have authentication access. If running 3.38.1 or earlier, apply network-level restrictions to SCIM API endpoints. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-46425 vulnerability details – vuln.today

Back

Budibase CVE-2026-46425

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code