CVE-2026-48150
Received Received - Intake
Privilege Escalation in Budibase via API Role Assignment

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature. This vulnerability is fixed in 3.39.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-28
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-48150
EUVD
EUVD-2026-32590
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.39.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.39.0. The issue is in the /api/public/v1/roles/assign endpoint, which is protected by the builderOrAdmin middleware. This middleware allows any user who is a builder for the app ID specified in the x-budibase-app-id header to pass. However, it incorrectly admits both global builders and workspace-scoped builders.

The problem arises because the controller spreads the request body into an SDK call that grants global builder or admin privileges (builder.global=true or admin.global=true) to whichever user IDs the caller supplies. As a result, a workspace-scoped builder with an API key can promote themselves or any other user to global admin with a single POST request.

This leads to tenant-wide privilege escalation from an app-level role, and it is only available to users with an Enterprise license that enables the EXPANDED_PUBLIC_API feature. The vulnerability was fixed in version 3.39.0.


How can this vulnerability impact me? :

This vulnerability allows a workspace-scoped builder with an API key to escalate their privileges to global admin across the entire tenant. This means that an attacker can gain full administrative control over the Budibase environment, potentially accessing, modifying, or deleting sensitive data and configurations.

Such unauthorized privilege escalation can lead to data breaches, unauthorized changes, disruption of services, and compromise of the integrity and availability of the platform.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Budibase to version 3.39.0 or later, where the issue is fixed.

Additionally, restrict or review API keys and permissions for workspace-scoped builders, especially those with access to the EXPANDED_PUBLIC_API feature, to prevent unauthorized privilege escalation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a workspace-scoped builder with an API key to escalate their privileges to global admin, granting unrestricted access to the entire tenant, including all apps, users, and configurations.

Such unauthorized privilege escalation can lead to unauthorized access to sensitive personal data and critical system configurations, which may result in violations of data protection regulations such as GDPR and HIPAA.

By bypassing intended role-based access controls, the vulnerability increases the risk of data breaches and unauthorized data processing, potentially compromising confidentiality and integrity requirements mandated by these standards.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves unauthorized privilege escalation via the /api/public/v1/roles/assign endpoint in Budibase versions prior to 3.39.0. Detection involves monitoring for suspicious POST requests to this endpoint that attempt to assign global admin privileges.

You can detect potential exploitation attempts by inspecting your server logs or network traffic for POST requests to /api/public/v1/roles/assign containing payloads that grant global roles (e.g., builder.global=true or admin.global=true) to users.

Example commands to help detect such activity include:

  • Using grep on server logs to find suspicious POST requests: grep -i 'POST /api/public/v1/roles/assign' /path/to/access.log | grep 'global=true'
  • Using tcpdump or tshark to capture and filter HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/public/v1/roles/assign'
  • Using curl or similar tools to test if the endpoint is vulnerable by sending a crafted POST request (only on authorized test environments): curl -X POST https://your-budibase-instance/api/public/v1/roles/assign -H 'x-budibase-app-id: your-app-id' -H 'Authorization: Bearer your-api-key' -d '{"userId":"target-user-id","admin.global":true}'

Note: Testing should only be performed in controlled environments with proper authorization to avoid unintended privilege escalations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart