Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation. This vulnerability is fixed in 3.38.1.

AI Analysis

Privilege escalation vulnerability in Budibase via onboardUsers endpoint without SMTP configuration

Basic Information

ID CVE-2026-45716

Source GitHub_M

Published May 27, 2026 at 17:09

Affected Product

Vendor Budibase

Product budibase

Version < 3.38.1

Affected Versions Budibase budibase < 3.38.1

CWE Classification

CWE-269

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Budibase

Product Budibase

Version < 3.38.1

References

{
    "lastseen": "",
    "description": "Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation. This vulnerability is fixed in 3.38.1.",
    "published": "2026-05-27T17:09:43.383Z",
    "modified": "2026-05-27T17:09:43.383Z",
    "type": "cve",
    "title": "Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration",
    "source": "GitHub_M",
    "references": "https://github.com/Budibase/budibase/security/advisories/GHSA-c54j-xp92-wh28\nhttps://github.com/Budibase/budibase/releases/tag/3.38.1",
    "id": "CVE-2026-45716",
    "bulletinFamily": "",
    "cwe": [
        "CWE-269"
    ],
    "cvelist": null,
    "sourceData": "Budibase budibase < 3.38.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "budibase",
    "version": "< 3.38.1",
    "vendor": "Budibase",
    "ai_description": "Privilege escalation vulnerability in Budibase via onboardUsers endpoint without SMTP configuration",
    "ai_severity": "High",
    "ai_vendor": "Budibase",
    "ai_product": "Budibase",
    "ai_version": "< 3.38.1",
    "ai_score": 8.8
}

Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration_CVE-2026-45716