CVE-2026-25040

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.26.4

Description Budibase is a low code platform used for building internal tools, workflows, and admin panels. A Creator-level user, normally lacking UI permissions to invite users, can manipulate API requests to invite new users with any role – including Admin, Creator, or App Viewer – and assign them to any group within the organization. This enables full privilege escalation, bypassing UI restrictions, potentially leading to complete workspace or organization takeover. The API endpoint used for user invitation is susceptible to manipulation. The vulnerable request allows bypassing intended access controls.

Recommendations Update Budibase to version 3.26.4 or later.