CVE-2026-25040
Unknown Unknown - Not Provided
Privilege Escalation via API in Budibase ≀3.26.3 Allows Admin Takeover

Publication date: 2026-01-29

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25040
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.26.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Budibase allows a Creator-level user, who normally cannot invite users through the UI, to manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group within the organization. This bypasses UI restrictions and enables privilege escalation, potentially leading to full control over the workspace or organization.

Impact Analysis

The vulnerability can lead to full privilege escalation, allowing an attacker with Creator-level access to gain administrative control over the workspace or organization. This could result in unauthorized access, modification, or takeover of internal tools, workflows, and admin panels, severely compromising the security and integrity of the affected environment.

Mitigation Strategies

Since no fixed versions are available as of the publication date, immediate mitigation steps include restricting Creator-level user permissions, monitoring API requests for unauthorized user invitations or role escalations, and limiting network access to the Budibase API to trusted users only. Additionally, consider implementing additional access controls or auditing to detect suspicious activity until a patch is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25040. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart