Privilege Escalation Vulnerability in Budibase Low-Code Platform
CVE-2026-48150

9CRITICAL

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-48150?

Budibase, an open-source low-code platform, contains a vulnerability that allows workspace-scoped builders to escalate their privileges to global admin. This occurs when the /api/public/v1/roles/assign endpoint, which should be adequately protected, fails to differentiate between workspace and global builders. As a consequence, users with an Enterprise license can exploit the vulnerability to promote themselves or any user to global admin status through a single API call. The issue is resolved in version 3.39.0, emphasizing the importance of upgrading to maintain security.

Affected Version(s)

budibase < 3.39.0

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48150 Data

JSON