PT-2026-41795 · Npm+2 · @Budibase/Worker+1
Offset
·
Published
2026-05-18
·
Updated
2026-05-27
·
CVE-2026-45716
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Budibase versions prior to 3.38.1
Description
An issue exists in the "POST /api/global/users/onboard" endpoint, which is protected by the
workspaceBuilderOrAdmin middleware. This allows users with builder permissions to access the endpoint. In self-hosted instances where SMTP email is not configured, the endpoint bypasses the standard admin-restricted invite flow and uses the bulkCreate function to create users directly. Because the request body accepts arbitrary admin and builder role assignments, a builder-level user can create a new global admin account. The system then returns the generated password in the response, leading to full privilege escalation and platform compromise.Recommendations
Update to version 3.38.1.
As a temporary workaround, restrict access to the "POST /api/global/users/onboard" endpoint to only authorized administrators.
Exploit
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Budibase/Worker
Budibase