Privilege Escalation Vulnerability in Budibase Low Code Platform
CVE-2026-25040

5.7MEDIUM

Key Information:

Vendor

Budibase

Status
Budibase
Vendor
CVE Published:
29 January 2026

What is CVE-2026-25040?

In Budibase, a low code platform designed for building internal tools, a serious vulnerability has been identified that allows Creator-level users to bypass established UI restrictions. Specifically, these users can manipulate API requests to invite new users across various roles including Admin, Creator, or App Viewer, and can assign them to any group within the organization. This significant oversight leads to potential full privilege escalation, enabling unauthorized access and control over the workspace or organization. No known fixed versions have been released as of the latest update, leaving users potentially exposed.

Affected Version(s)

budibase <= 3.26.3

References

https://github.com/Budibase/budibase/security/advisories/...
x_refsource_CONFIRM
https://drive.google.com/file/d/1Dtn1WLJILRYUeoMjEbUfCbqQ...
x_refsource_MISC
https://github.com/user-attachments/files/22066135/budiba...
x_refsource_MISC

CVSS V4

Score:
5.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.