Budibase EUVD-2026-32597

Summary

The public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache (TTL: 3600 seconds), a user whose admin, builder, or app-level roles have been revoked via the public API retains those privileges for up to 1 hour.

Details

The root cause is an inconsistency between the UserDB.save() and UserDB.bulkUpdate() code paths.

Vulnerable path - packages/pro/src/sdk/publicApi/roles.ts:49-75:

export async function unAssign(userIds: string[], opts: AssignmentOpts) {
  // ... modifies user objects: deletes roles, admin, builder ...
  await userDB.bulkUpdate(users)  // line 74
}

bulkUpdate delegates to bulkUpdateGlobalUsers() at packages/backend-core/src/users/users.ts:82-85:

export async function bulkUpdateGlobalUsers(users: User[]) {
  const db = getGlobalDB()
  return (await db.bulkDocs(users)) as BulkDocsResponse
}

This writes directly to CouchDB with no cache invalidation.

Correct path - packages/backend-core/src/users/db.ts:355 (used by admin UI):

await cache.user.invalidateUser(response.id)

Cache configuration - packages/backend-core/src/cache/user.ts:11:

const EXPIRY_SECONDS = 3600  // 1 hour TTL

Authentication middleware - packages/backend-core/src/middleware/authenticated.ts:153-160:

user = await getUser({
  userId,
  tenantId: session.tenantId,
  email: session.email,
})

getUser() reads from Redis cache first; it only falls back to CouchDB on cache miss. After unAssign updates CouchDB without invalidating Redis, every authenticated request continues to use the stale cached user object with the old (revoked) privileges.

Notably, other bulk operations in the codebase handle this correctly - groups.addUsers() and groups.removeUsers() in packages/pro/src/sdk/groups/groups.ts both loop through affected users and call cache.user.invalidateUser() after bulkUpdateGlobalUsers(). The public API roles path was missed.

PoC

# Prerequisites: Enterprise license, admin API key, a second user with admin role
# Step 1: Confirm user has admin access
curl -s -X GET http://localhost:10000/api/global/roles \
  -H 'Cookie: budibase:auth=<target-user-session>' \
  -H 'x-budibase-app-id: app_xyz'
# Returns 200 with roles list
# Step 2: Revoke admin role via public API
curl -s -X POST http://localhost:10000/api/public/v1/roles/unassign \
  -H 'x-budibase-api-key: <admin-api-key>' \
  -H 'Content-Type: application/json' \
  -d '{"userIds": ["<target-user-id>"], "admin": true}'
# Returns 200 - role removed from CouchDB
# Step 3: Verify DB was updated (admin field removed)
# (check CouchDB directly - user document no longer has admin: {global: true})
# Step 4: Immediately retry admin endpoint as revoked user
curl -s -X GET http://localhost:10000/api/global/roles \
  -H 'Cookie: budibase:auth=<target-user-session>' \
  -H 'x-budibase-app-id: app_xyz'
# STILL returns 200 - stale cache serves old admin privileges
# Step 5: Wait for cache expiry (up to 3600 seconds) and retry
# After cache expires, the request correctly returns 403

Impact

A user whose admin, builder, or app-level roles have been revoked via the public API retains full access to those privileges for up to 1 hour. This is particularly concerning in automated offboarding scenarios where HR/IT systems use the public API to revoke access for terminated employees - the terminated user retains admin/builder access to all applications and data during the cache window.

The impact is bounded by:

• Requires enterprise license (expanded public API feature)
• Maximum 1-hour window before cache expires
• Only affects the public API revocation path; revocations via the admin UI (UserDB.save()) invalidate cache correctly
• The assign direction has the inverse issue (newly granted roles are delayed) but this is less security-critical

Recommended Fix

Add cache invalidation to bulkUpdateGlobalUsers or to the callers that need it. The most targeted fix is in the unAssign function:

// packages/pro/src/sdk/publicApi/roles.ts
import { cache } from "@budibase/backend-core"

export async function unAssign(userIds: string[], opts: AssignmentOpts) {
  // ... existing role removal logic ...
  await userDB.bulkUpdate(users)

  // Invalidate cache for all affected users
  await Promise.all(
    users.map(user => cache.user.invalidateUser(user._id!))
  )
}

Alternatively, fix it at the bulkUpdate level to prevent future callers from having the same gap:

// packages/backend-core/src/users/db.ts
static async bulkUpdate(users: User[]) {
  const result = await usersCore.bulkUpdateGlobalUsers(users)
  await Promise.all(
    users.map(user => cache.user.invalidateUser(user._id!))
  )
  return result
}

The same fix should also be applied to the assign function in the same file.