Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25045 is a critical vulnerability in Budibase's user role management system caused by missing server-side Role-Based Access Control (RBAC) checks on the /api/global/users endpoint."}, {'type': 'paragraph', 'content': "This flaw allows a Creator-level user, who normally cannot manage users or organizational roles, to perform unauthorized actions such as promoting an App Viewer to Tenant Admin, demoting a Tenant Admin to App Viewer, or modifying the Owner's account details and all orders."}, {'type': 'paragraph', 'content': "The vulnerability occurs because the API accepts requests meant only for Owners without verifying the requesting user's role. A Creator can capture legitimate Owner requests and replay them using their own session tokens, resulting in unauthorized privilege changes and full tenant compromise."}, {'type': 'paragraph', 'content': 'These unauthorized changes are applied silently without UI indication or logging, making detection difficult.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to complete tenant takeover by unauthorized users.

• Arbitrary privilege escalation allowing unauthorized users to gain Tenant Admin or Owner-level access.
• Demotion of legitimate admins, disrupting normal administrative control.
• Impersonation of the Owner account and modification of sensitive account details and orders.
• Potential data exfiltration, service abuse, fraud, and amplification of insider threats.
• Disruption of business operations due to unauthorized changes and loss of control.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability leads to violations of compliance requirements such as GDPR, SOC2, and ISO27001.

Unauthorized privilege escalation and data manipulation can result in breaches of confidentiality, integrity, and availability of sensitive data.

Such breaches can cause non-compliance with data protection regulations, exposing organizations to legal and financial penalties.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is difficult to detect via the user interface because Creator-initiated role changes are neither logged nor displayed. Detection involves monitoring API requests to the /api/global/users endpoint for unauthorized role modification attempts.

A practical detection method is to intercept and analyze HTTP requests to the /api/global/users endpoint using tools like Burp Suite or similar intercepting proxies. Look for requests where a Creator-level user attempts to perform role changes such as promoting an App Viewer to Tenant Admin or modifying Owner account details.

Suggested commands or steps include capturing network traffic or API calls and filtering for POST or PUT requests to /api/global/users. For example, using curl or similar tools to replay or test role modification requests with Creator session tokens can help verify if unauthorized changes are accepted.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include enforcing strict server-side Role-Based Access Control (RBAC) on the /api/global/users endpoint to ensure only authorized roles (Owner/Tenant Admins) can perform user and role management actions.

• Block Creator roles from making any user-modification requests.
• Implement least privilege principles in backend logic to restrict permissions appropriately.
• Sanitize and validate user input on role parameters to prevent injection-like abuses.
• Educate developers on OWASP API Security best practices to avoid similar issues.

Useful 0 Not Useful 0