Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, in versions prior to 3.38.1. The POST /api/global/users/onboard endpoint is intended to be protected so that only admins can invite new users. However, it is only protected by middleware that allows users with builder permissions to access it. When SMTP email is not configured (which is the default for self-hosted instances), this endpoint bypasses the normal admin-restricted invite process and allows a builder-level user to create new users directly, including assigning arbitrary admin and builder roles.

As a result, a user with builder permissions can create a new global admin account and receive the generated password in the response, effectively escalating their privileges to full admin rights. This security flaw was fixed in version 3.38.1.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a user with builder permissions to escalate privileges to global admin by creating new admin accounts and accessing sensitive data. Such unauthorized access and privilege escalation can lead to breaches of confidentiality, integrity, and availability of data.

As a result, organizations using affected versions of Budibase may face compliance risks with standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive personal and health data to prevent unauthorized disclosure or modification.

Failure to properly restrict access and protect sensitive data could lead to violations of these regulations, potentially resulting in legal penalties, reputational damage, and loss of trust.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the `/api/global/users/onboard` endpoint on Budibase instances, especially those that are self-hosted and have SMTP email not configured.

Detection involves identifying POST requests made by users with builder permissions that attempt to create new users with admin or builder roles. Such requests may contain payloads with arbitrary role assignments and result in responses containing generated passwords.

Suggested commands for detection include using network traffic inspection tools like curl or command-line HTTP clients to simulate or detect suspicious POST requests, or using log analysis commands to search for such activity in server logs.

• Use curl to test the endpoint for unauthorized user creation attempts: curl -X POST https://<budibase-instance>/api/global/users/onboard -d '{"roles": ["admin"]}' -H 'Authorization: Bearer <builder-token>' -H 'Content-Type: application/json'
• Search server logs for POST requests to `/api/global/users/onboard` with role assignments in the request body: grep 'POST /api/global/users/onboard' /path/to/budibase/logs/* | grep 'admin'
• Monitor network traffic for suspicious POST requests to the endpoint using tools like tcpdump or Wireshark filtering on the endpoint path.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a severe impact because it allows a user with limited builder permissions to escalate their privileges to full global admin access. This means an attacker could gain complete control over the Budibase instance, including managing users, accessing sensitive data, and modifying configurations.

Such unauthorized admin access can lead to data breaches, unauthorized changes, and potential disruption of services. The CVSS score of 8.8 indicates a high severity with network attack vector, low attack complexity, and no user interaction required.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.38.1 or later, where the issue is fixed.

Additionally, ensure that SMTP email is properly configured to avoid bypassing the admin-restricted invite flow.

Useful 0 Not Useful 0