CVE-2026-25040
Privilege Escalation via API in Budibase β€3.26.3 Allows Admin Takeover
Publication date: 2026-01-29
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.26.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Budibase allows a Creator-level user, who normally cannot invite users through the UI, to manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group within the organization. This bypasses UI restrictions and enables privilege escalation, potentially leading to full control over the workspace or organization.
How can this vulnerability impact me? :
The vulnerability can lead to full privilege escalation, allowing an attacker with Creator-level access to gain administrative control over the workspace or organization. This could result in unauthorized access, modification, or takeover of internal tools, workflows, and admin panels, severely compromising the security and integrity of the affected environment.
What immediate steps should I take to mitigate this vulnerability?
Since no fixed versions are available as of the publication date, immediate mitigation steps include restricting Creator-level user permissions, monitoring API requests for unauthorized user invitations or role escalations, and limiting network access to the Budibase API to trusted users only. Additionally, consider implementing additional access controls or auditing to detect suspicious activity until a patch is released.