PT-2026-41795 · Npm+2 · @Budibase/Worker+1

Offset

·

Published

2026-05-18

·

Updated

2026-05-27

·

CVE-2026-45716

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.1
Description An issue exists in the "POST /api/global/users/onboard" endpoint, which is protected by the workspaceBuilderOrAdmin middleware. This allows users with builder permissions to access the endpoint. In self-hosted instances where SMTP email is not configured, the endpoint bypasses the standard admin-restricted invite flow and uses the bulkCreate function to create users directly. Because the request body accepts arbitrary admin and builder role assignments, a builder-level user can create a new global admin account. The system then returns the generated password in the response, leading to full privilege escalation and platform compromise.
Recommendations Update to version 3.38.1. As a temporary workaround, restrict access to the "POST /api/global/users/onboard" endpoint to only authorized administrators.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45716
GHSA-C54J-XP92-WH28

Affected Products

@Budibase/Worker
Budibase