CVE-2026-48150

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.0

Description An issue exists in the open-source low-code platform where the '/api/public/v1/roles/assign' endpoint is guarded by the builderOrAdmin middleware. This middleware allows any user who is a builder for the app ID specified in the x-budibase-app-id header to pass, including both global builders and workspace-scoped builders. The controller then spreads the request body into the SDK call, allowing the SDK to grant builder.global=true or admin.global=true to any user IDs provided by the caller. This enables a workspace-scoped builder with an API key to promote themselves or other users to global admin, resulting in tenant-wide privilege escalation from an app-level role. This is available to users with an Enterprise license that enables the EXPANDED PUBLIC API feature.

Recommendations Update to version 3.39.0.