CVE-2026-25045

Name of the Vulnerable Software and Affected Versions Budibase (affected versions not specified)

Description The platform exhibits a combination of Vertical Privilege Escalation and Insecure Direct Object Reference (IDOR) due to missing server-side Role-Based Access Control (RBAC) checks in the /api/global/users endpoints. A Creator-level user can perform actions beyond their authorized permissions, such as promoting an App Viewer to Tenant Admin, demoting a Tenant Admin to App Viewer, or modifying the Owner’s account details and all orders. This is possible because the API accepts these actions without validating the requesting role, allowing a Creator to replay Owner-only requests using their own session tokens, potentially leading to full tenant compromise. IDOR, or Insecure Direct Object Reference, is a type of access control issue that allows attackers to bypass authorization checks by directly manipulating object identifiers.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.