Skip to main content

Budibase CVE-2026-48150

| EUVDEUVD-2026-32590 CRITICAL
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-05-27 security-advisories@github.com GHSA-6xp4-cf37-ppjh
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 19:52 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature. This vulnerability is fixed in 3.39.0.

AnalysisAI

Privilege escalation in Budibase before 3.39.0 lets a workspace-scoped builder promote themselves or any other user to global administrator with a single POST to /api/public/v1/roles/assign. The builderOrAdmin middleware admits app-level builders (builder.apps set, builder.global unset) and the controller blindly spreads the request body into the SDK, allowing the caller to set builder.global=true or admin.global=true on arbitrary user IDs. The flaw turns a tenant-confined Enterprise feature into full tenant-wide takeover; no public exploit is identified at time of analysis, but the technique is fully described in the GitHub advisory.

Technical ContextAI

Budibase is an open-source low-code application platform; the affected surface is its public REST API, specifically the role-assignment endpoint exposed when an Enterprise license unlocks the EXPANDED_PUBLIC_API feature. The root cause maps to CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes, i.e. a mass-assignment / object-injection flaw): the controller takes attacker-controlled request-body fields and spreads them directly into an SDK call that mutates the target user's privilege attributes, with no allow-list filtering of which attributes (builder.global, admin.global) may be set. Compounding this, the builderOrAdmin authorization middleware keys off the x-budibase-app-id header and treats any builder for that app as authorized, failing to distinguish a global builder from a workspace/app-scoped builder. EUVD records the affected scope as budibase < 3.39.0.

RemediationAI

Vendor-released patch: 3.39.0 - upgrade Budibase to 3.39.0 or later, which corrects both the builderOrAdmin authorization check and the role-assignment handling, per advisory GHSA-6xp4-cf37-ppjh (https://github.com/Budibase/budibase/security/advisories/GHSA-6xp4-cf37-ppjh). If immediate upgrade is not possible, reduce exposure by disabling the EXPANDED_PUBLIC_API feature so the /api/public/v1/roles/assign endpoint is not reachable (trade-off: this removes the expanded public API capabilities legitimate integrations may depend on), by revoking or tightly restricting API keys issued to workspace/app-scoped builders, and by minimizing the number of users granted builder roles (trade-off: slows delegated app development). Additionally, audit current global admin and builder.global assignments to detect any unauthorized promotions that may already have occurred, and place network/access controls in front of the public API endpoints.

Share

CVE-2026-48150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy