CVE-2026-46424

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.2

Description The public API role unassignment endpoint "/api/public/v1/roles/unassign" updates user documents in CouchDB but fails to invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache, which has a Time To Live (TTL) of 3600 seconds, users whose admin, builder, or app-level roles are revoked via the public API retain those privileges for up to one hour. This occurs due to an inconsistency where the bulkUpdate() function writes directly to the database without triggering the necessary cache invalidation, unlike the path used by the admin UI.

Recommendations Update to version 3.38.2. As a temporary workaround, restrict access to the "/api/public/v1/roles/unassign" endpoint until the update is applied.