Vulnerability Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who should have no permissions to manage users or organizational roles, can instead promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or modify the Owner’s account details and all orders (e.g., change name). This is because the API accepts these actions without validating the requesting role, a Creator can replay Owner-only requests using their own session tokens. This leads to full tenant compromise.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Budibase | Budibase | <= 3.32.3 |
Related Weaknesses (CWE)
References
- https://github.com/Budibase/budibase/security/advisories/GHSA-2g39-332f-68p9ExploitVendor Advisory
FAQ
What is CVE-2026-25045?
CVE-2026-25045 is a vulnerability with a CVSS score of 8.8 (HIGH). Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due t...
How severe is CVE-2026-25045?
CVE-2026-25045 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25045?
Check the references section above for vendor advisories and patch information. Affected products include: Budibase Budibase.