CVE-2026-46424
published 2026-05-27CVE-2026-46424: Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user…
PriorityP424medium4.2CVSS 3.1
AVNACHPRLUINSUCLILAN
EPSS
0.16%
5.9th percentile
Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache (TTL: 3600 seconds), a user whose admin, builder, or app-level roles have been revoked via the public API retains those privileges for up to 1 hour. This vulnerability is fixed in 3.38.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| budibase | backend-core | >= 0 < 3.38.2 | 3.38.2 |
| budibase | budibase | < 3.38.2 | 3.38.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
budibase up to 3.38.1 Public API unassign privileges management
vuldb·2026-05-27·CVSS 4.2
CVE-2026-46424 [MEDIUM] budibase up to 3.38.1 Public API unassign privileges management
A vulnerability labeled as critical has been found in budibase up to 3.38.1. This impacts an unknown function of the file /api/public/v1/roles/unassign of the component Public API. The manipulation results in improper privilege management.
This vulnerability is cataloged as CVE-2026-46424. The attack may be launched remotely. There is no exploit available.
The affected component should be upgraded.
GHSA
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
ghsa·2026-05-19
CVE-2026-46424 [MEDIUM] CWE-269 Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
## Summary
The public API role unassignment endpoint (`POST /api/public/v1/roles/unassign`) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache (TTL: 3600 seconds), a user whose admin, builder, or app-level roles have been revoked via the public API retains those privileges for up to 1 hour.
## Details
The root cause is an inconsistency between the `UserDB.save()` and `UserDB.bulkUpdate()` code paths.
**Vulnerable path** — `packages/pro/src/sdk/publicApi/roles.ts:49-75`:
```typescript
export async function unAssign(use
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-27
Published