CVE-2026-46425

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.2

Description An authorization bypass exists in the SCIM router within packages/worker/src/api/routes/global/scim.ts. The router only utilizes the requireSCIM and doInScimContext middlewares, failing to implement a role check. Consequently, any authenticated user, including those with the BASIC role or workspace-scoped builders, can access SCIM endpoints to perform Create, Read, Update, and Delete (CRUD) operations on every user and group within the tenant, potentially allowing them to delete administrators or hijack accounts.

Recommendations Update to version 3.38.2.