Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature. This vulnerability is fixed in 3.39.0.
AnalysisAI
Privilege escalation in Budibase before 3.39.0 lets a workspace-scoped builder promote themselves or any other user to global administrator with a single POST to /api/public/v1/roles/assign. The builderOrAdmin middleware admits app-level builders (builder.apps set, builder.global unset) and the controller blindly spreads the request body into the SDK, allowing the caller to set builder.global=true or admin.global=true on arbitrary user IDs. The flaw turns a tenant-confined Enterprise feature into full tenant-wide takeover; no public exploit is identified at time of analysis, but the technique is fully described in the GitHub advisory.
Technical ContextAI
Budibase is an open-source low-code application platform; the affected surface is its public REST API, specifically the role-assignment endpoint exposed when an Enterprise license unlocks the EXPANDED_PUBLIC_API feature. The root cause maps to CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes, i.e. a mass-assignment / object-injection flaw): the controller takes attacker-controlled request-body fields and spreads them directly into an SDK call that mutates the target user's privilege attributes, with no allow-list filtering of which attributes (builder.global, admin.global) may be set. Compounding this, the builderOrAdmin authorization middleware keys off the x-budibase-app-id header and treats any builder for that app as authorized, failing to distinguish a global builder from a workspace/app-scoped builder. EUVD records the affected scope as budibase < 3.39.0.
RemediationAI
Vendor-released patch: 3.39.0 - upgrade Budibase to 3.39.0 or later, which corrects both the builderOrAdmin authorization check and the role-assignment handling, per advisory GHSA-6xp4-cf37-ppjh (https://github.com/Budibase/budibase/security/advisories/GHSA-6xp4-cf37-ppjh). If immediate upgrade is not possible, reduce exposure by disabling the EXPANDED_PUBLIC_API feature so the /api/public/v1/roles/assign endpoint is not reachable (trade-off: this removes the expanded public API capabilities legitimate integrations may depend on), by revoking or tightly restricting API keys issued to workspace/app-scoped builders, and by minimizing the number of users granted builder roles (trade-off: slows delegated app development). Additionally, audit current global admin and builder.global assignments to detect any unauthorized promotions that may already have occurred, and place network/access controls in front of the public API endpoints.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32590
GHSA-6xp4-cf37-ppjh