Business Logic Flaw in Budibase Password Reset Functionality
CVE-2026-25043

5.3MEDIUM

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-25043?

Budibase, an open-source low-code platform, has a business logic vulnerability in its password reset functionality that could be exploited by unauthenticated attackers. In versions before 3.23.25, the 'Forgot Password' endpoint lacks adequate rate limiting, CAPTCHA, or other abuse prevention measures. This allows an attacker to repeatedly send password reset requests for the same email address, potentially flooding user inboxes with hundreds of reset emails in a short time, leading to user harassment and denial of service. This vulnerability has been addressed in the latest version, ensuring better protection against such exploitation.

Affected Version(s)

budibase < 3.23.25

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

https://github.com/Budibase/budibase/commit/21bc3f812b231...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Jan 28, 2026

CVE-2026-25043 Data

JSON