CVE-2026-45716
published 2026-05-27CVE-2026-45716: Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.26%
17.4th percentile
Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation. This vulnerability is fixed in 3.38.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| budibase | budibase | < 3.38.1 | 3.38.1 |
| budibase | worker | >= 0 < 3.38.1 | 3.38.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
budibase up to 3.38.0 Request Body onboard privileges management
vuldb·2026-05-27·CVSS 8.8
CVE-2026-45716 [HIGH] budibase up to 3.38.0 Request Body onboard privileges management
A vulnerability was found in budibase up to 3.38.0. It has been rated as critical. The affected element is an unknown function of the file /api/global/users/onboard of the component Request Body Handler. Performing a manipulation results in improper privilege management.
This vulnerability is identified as CVE-2026-45716. The attack can be initiated remotely. There is not any exploit available.
Upgrading the affected component is advised.
GHSA
Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration
ghsa·2026-05-18
CVE-2026-45716 [HIGH] CWE-269 Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration
Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration
## Summary
The `POST /api/global/users/onboard` endpoint is protected by `workspaceBuilderOrAdmin` middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via `bulkCreate`, accepting arbitrary `admin` and `builder` role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation.
## Details
The vulnerability stems from a mismatch between the authorization level of the `onboardUsers` endpoin
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-27
Published