Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.39.0. The issue is in the /api/public/v1/roles/assign endpoint, which is protected by the builderOrAdmin middleware. This middleware allows any user who is a builder for the app ID specified in the x-budibase-app-id header to pass. However, it incorrectly admits both global builders and workspace-scoped builders.

The problem arises because the controller spreads the request body into an SDK call that grants global builder or admin privileges (builder.global=true or admin.global=true) to whichever user IDs the caller supplies. As a result, a workspace-scoped builder with an API key can promote themselves or any other user to global admin with a single POST request.

This leads to tenant-wide privilege escalation from an app-level role, and it is only available to users with an Enterprise license that enables the EXPANDED_PUBLIC_API feature. The vulnerability was fixed in version 3.39.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a workspace-scoped builder with an API key to escalate their privileges to global admin across the entire tenant. This means that an attacker can gain full administrative control over the Budibase environment, potentially accessing, modifying, or deleting sensitive data and configurations.

Such unauthorized privilege escalation can lead to data breaches, unauthorized changes, disruption of services, and compromise of the integrity and availability of the platform.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.39.0 or later, where the issue is fixed.

Additionally, restrict or review API keys and permissions for workspace-scoped builders, especially those with access to the EXPANDED_PUBLIC_API feature, to prevent unauthorized privilege escalation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a workspace-scoped builder with an API key to escalate their privileges to global admin, granting unrestricted access to the entire tenant, including all apps, users, and configurations.

Such unauthorized privilege escalation can lead to unauthorized access to sensitive personal data and critical system configurations, which may result in violations of data protection regulations such as GDPR and HIPAA.

By bypassing intended role-based access controls, the vulnerability increases the risk of data breaches and unauthorized data processing, potentially compromising confidentiality and integrity requirements mandated by these standards.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized privilege escalation via the /api/public/v1/roles/assign endpoint in Budibase versions prior to 3.39.0. Detection involves monitoring for suspicious POST requests to this endpoint that attempt to assign global admin privileges.

You can detect potential exploitation attempts by inspecting your server logs or network traffic for POST requests to /api/public/v1/roles/assign containing payloads that grant global roles (e.g., builder.global=true or admin.global=true) to users.

Example commands to help detect such activity include:

• Using grep on server logs to find suspicious POST requests: grep -i 'POST /api/public/v1/roles/assign' /path/to/access.log | grep 'global=true'
• Using tcpdump or tshark to capture and filter HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/public/v1/roles/assign'
• Using curl or similar tools to test if the endpoint is vulnerable by sending a crafted POST request (only on authorized test environments): curl -X POST https://your-budibase-instance/api/public/v1/roles/assign -H 'x-budibase-app-id: your-app-id' -H 'Authorization: Bearer your-api-key' -d '{"userId":"target-user-id","admin.global":true}'

Note: Testing should only be performed in controlled environments with proper authorization to avoid unintended privilege escalations.

Useful 0 Not Useful 0