What is the CVSS score of CVE-2026-48150?

CVE-2026-48150 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Budibase are affected by CVE-2026-48150?

Budibase versions before 3.39.0 contain a critical privilege escalation vulnerability allowing any workspace builder to grant themselves or others global administrator access through a single API…. A patch is available.

How to fix or mitigate CVE-2026-48150?

Within 24 hours: Inventory all Budibase deployments and document current versions; restrict network access to /api/public/v1/roles/assign endpoints where feasible. Within 7 days: Upgrade all Budibase instances to version 3.39.0 or later. Within 30 days: Audit all administrator and builder role assignments created during the vulnerability exposure window; review API access logs for unauthorized role modification attempts; confirm role hierarchy integrity post-patch.

Budibase CVE-2026-48150

EUVD-2026-32590 CRITICAL

Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)

2026-05-27 security-advisories@github.com

Privilege Escalation

9.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 19:52 vuln.today

Patch available

May 27, 2026 - 19:46 EUVD

DescriptionNVD

Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature. This vulnerability is fixed in 3.39.0.

AnalysisAI

Privilege escalation in Budibase before 3.39.0 lets a workspace-scoped builder promote themselves or any other user to global administrator with a single POST to /api/public/v1/roles/assign. The builderOrAdmin middleware admits app-level builders (builder.apps set, builder.global unset) and the controller blindly spreads the request body into the SDK, allowing the caller to set builder.global=true or admin.global=true on arbitrary user IDs. …

RemediationAI

Within 24 hours: Inventory all Budibase deployments and document current versions; restrict network access to /api/public/v1/roles/assign endpoints where feasible. Within 7 days: Upgrade all Budibase instances to version 3.39.0 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-48150 vulnerability details – vuln.today

Back

Budibase CVE-2026-48150

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code