Privilege Escalation in Budibase Low-Code Platform
CVE-2026-45716

8.8HIGH

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-45716?

Inversions in Budibase, an open-source low-code platform, expose a significant security flaw prior to version 3.38.1. The vulnerability resides in the POST /api/global/users/onboard endpoint, which is not adequately protected when certain middleware checks fail. Specifically, if SMTP email settings are not configured (common with self-hosted instances), users with builder permissions can bypass the intended invite flow. This misconfiguration allows them to directly invoke user creation via bulkCreate, manipulating the request to assign arbitrary roles, including the global admin role. As a result, these users may gain full administrative access, which can severely compromise system integrity. This critical issue has been addressed in version 3.38.1.

Affected Version(s)

budibase < 3.38.1

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

https://github.com/Budibase/budibase/releases/tag/3.38.1

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-45716 Data

JSON