Unauthenticated Access Vulnerability in Budibase’s Low-Code Platform
CVE-2026-46425

9.9CRITICAL

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-46425?

Budibase, an open-source low-code platform, has a vulnerability that allows any authenticated user, regardless of their role, to access SCIM endpoints. Prior to version 3.38.2, the system only implemented limited middleware checks, allowing users with basic roles or workspace-scoped builders to perform Create, Read, Update, and Delete (CRUD) operations on all users and groups within the tenant. This flaw emphasizes the need for rigorous role verification to secure sensitive operations and protect user data.

Affected Version(s)

budibase < 3.38.2

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

https://github.com/Budibase/budibase/releases/tag/3.38.2

x_refsource_MISC

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46425 Data

JSON