Role Unassignment Vulnerability in Budibase Open-source Platform
CVE-2026-46424

4.2MEDIUM

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-46424?

Budibase, an open-source low-code platform, contains a vulnerability in its public API that allows modifications to user roles without properly invalidating the corresponding cache in Redis. This insecure design means that if a user's roles are revoked—such as admin or builder privileges—their access rights might still be honored for up to one hour due to the cached data. As a result, attackers could exploit this flaw to retain unauthorized access to sensitive operations even after their roles have been revoked. The issue has been addressed in version 3.38.2 of Budibase.

Affected Version(s)

budibase < 3.38.2

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

https://github.com/Budibase/budibase/releases/tag/3.38.2

x_refsource_MISC

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46424 Data

JSON