Budibase Hit by Five Critical Authz Flaws: CVE-2026-46425 et al., Update to v3.39.0

On May 27, 2026, five critical vulnerabilities were disclosed simultaneously in Budibase, the open-source low-code and AI agent platform with 28,000 GitHub stars. The highest scores CVSS 9.9, and even the lowest is 8.5, with every one of them classified as either an authorization control failure or an SSRF. Successful exploitation can lead to outcomes as severe as tenant-wide account takeover and privilege escalation to global admin.

All versions up to and including v3.38.0 are affected, including the v3.37.x branch (for CVE-2026-48150 and CVE-2026-48153, v3.38.x is also in scope). Everything is fixed in the latest v3.39.0 release, and any organization running Budibase on its own infrastructure should treat the upgrade as top priority.

Budibase is an open-source platform that lets teams build internal business apps, AI agents, and workflow automations by simply dragging and dropping blocks on a canvas. It has seen growing adoption in both enterprises and SMBs for internal core systems, approval workflows, and help-desk automation. The five CVEs disclosed today are concentrated in the structural core of its "multi-tenant + role-based" model, suggesting gaps left in design-stage review.

What Budibase Is

Budibase is an open-source low-code platform developed by a UK startup. Under the tagline "Engineers save 100s of hours building Agents, Apps and Automations, securely," it lets teams assemble internal business apps, workflow automations, and AI agent integrations through drag-and-drop blocks on a canvas. Gartner's low-code coverage often positions it alongside commercial offerings such as Retool and Appsmith.

Typical use cases include:

• Building internal help-desk and approval workflows without code and wiring them into existing core systems
• Letting an AI agent receive employee chat inquiries, pull data from internal business systems, and respond automatically
• Turning spreadsheet-based work such as marketing and sales customer-list management into web apps
• Automated user provisioning from Okta or Azure AD via SCIM (an enterprise feature)
• Self-hosting on Docker / Kubernetes / DigitalOcean and similar platforms, or managed hosting on Budibase Cloud

In Japan, Budibase is gaining traction as a banner tool for internal DX initiatives and as an "escape from Excel" platform, with a growing number of SIers offering enterprise deployment support. The five CVEs disclosed today land squarely on multi-tenant features, global role management, the enterprise SCIM integration, datasource configuration, and OAuth2 integration — the core machinery of enterprise operations — so self-hosting organizations take a direct hit.

The Five CVEs In Detail

CVE-2026-46425: Missing Authorization in the SCIM Router (CVSS 9.9)

The most severe of the bunch is CVE-2026-46425. The SCIM (System for Cross-domain Identity Management) router had no role-based access control (RBAC) attached, and — in the words of the advisory — "any authenticated user who can reach the worker (BASIC role, workspace-limited builder, anyone)" was able to hit the SCIM endpoints and perform full CRUD on every user and group in the tenant.

SCIM is the mechanism used to receive identity-management requests like "add this user" or "remove this user from that group" from Okta, Azure AD, Google Workspace, and similar providers, and those endpoints normally require enterprise-level admin privileges. With access wide open to anyone who could log in, a successful attacker could create, delete, and reassign employee accounts across the entire tenant as a low-privilege user. Pivoting from a compromised account, an attacker could add themselves to admin groups, delete rivals, or rewrite everyone's email addresses to hijack the password-reset path — all relatively anonymously. Fixed in v3.38.2. CWE-862 (Missing Authorization).

CVE-2026-48150: builder-to-Global-Admin Escalation via /roles/assign (CVSS 9.0)

CVE-2026-48150 affects Enterprise installations that have the EXPANDED_PUBLIC_API feature enabled. The POST /api/public/v1/roles/assign endpoint failed to properly validate user privileges, letting a user with only a workspace-scoped builder role promote themselves or anyone else to global admin.

A foundational assumption of any low-code platform is the separation between "a workspace-scoped builder has strong powers inside their own workspace but cannot touch the tenant as a whole." CVE-2026-48150 demolishes that assumption. The EXPANDED_PUBLIC_API feature is offered under Enterprise contracts to strengthen integration with external systems, but for any organization that had it enabled, every builder effectively held a latent tenant-takeover privilege. The advisory cites CWE-915 (Improperly Controlled Modification of Object Attributes). Fixed in v3.39.0.

CVE-2026-45716: Admin Account Creation From an SMTP-less Environment via /users/onboard (CVSS 8.8)

CVE-2026-45716 is an authorization flaw in POST /api/global/users/onboard that lets a builder-level user bypass the admin-restricted invitation flow and create new accounts with arbitrary admin or builder roles directly attached.

It is particularly potent when SMTP email is not yet configured (the default state for a fresh self-hosted install). In that mode, the flow that normally "sends an invitation email so the recipient can set their own password" switches to returning the generated password directly in the response body. An attacker can take that response and immediately log back in as a freshly minted global admin. The advisory cites CWE-269 (Improper Privilege Management). Fixed in v3.38.1.

CVE-2026-45717: Internal IP Access via Datasource Configuration Tampering (CVSS 8.8)

CVE-2026-45717 lets unauthorized non-builder app users tamper with Budibase datasource configurations. According to the advisory, an attacker can redirect database connection targets to internal IP addresses, and in network topologies that lack SSRF defenses, harvest credentials and reach further into internal services for reconnaissance.

Because a low-code platform centrally stores "the configuration data needed to connect to external SaaS APIs and internal databases," its datasource settings function as a master key ring for the internal network. Letting low-privilege users rewrite those settings fundamentally breaks the tenant-level authorization model. Fixed in v3.38.1. CWE-862 (Missing Authorization).

CVE-2026-48153: OAuth2 fetchToken SSRF (CVSS 8.5)

CVE-2026-48153 is a bug in the OAuth2 SDK's fetchToken function: POST requests to a URL supplied by a Budibase builder were not run through the blocklist checks used elsewhere in the codebase. The Joi schema validation also did not constrain the URL's scheme or host, enabling a Server-Side Request Forgery (SSRF) attack. The advisory cites CWE-918. Fixed in v3.39.0.

SSRF is an attack in which an adversary makes Budibase send requests to internal-network services that would normally be unreachable from outside. AWS IMDS metadata (the instance's IAM credentials), internal Redis and database instances, the Kubernetes API, and internal microservices all become part of the attack surface. The CVSS of "8.5" sits below the others on paper, but because SSRF can pinpoint a specific path to sensitive internal assets, the real-world impact is anything but trivial.

The Common Pattern: Multi-Tenant Role-Based Authz Failures

The substance of this disclosure is that none of the five bugs are isolated one-offs: every one of them is an authorization-boundary problem inside Budibase's core "multi-tenant, multi-role" design.

• Tenant-boundary authorization: CVE-2026-46425 (SCIM)
• builder-role-boundary authorization: CVE-2026-48150 (roles/assign), CVE-2026-45716 (users/onboard), CVE-2026-45717 (datasource)
• Server-side request boundary: CVE-2026-48153 (OAuth2 SSRF)

Low-code platforms are designed around layered roles — "Employee A is the admin of this tool, Employee B is a user, external contractor C only has read access." Soften any one of those authorization boundaries and the entire trust model collapses. The fact that all five were disclosed at once suggests the Budibase team has been working through an internal audit and tackling the issues structurally. Organizations running it under an Enterprise contract should keep a close eye on how Budibase's official security hardening guidance evolves from here.

What To Do Now

1. Update Budibase to v3.39.0 or later. For Docker Compose deployments, switch the tag on the budibase/standard image to the latest. On Kubernetes, bump the Helm chart version; on DigitalOcean's managed app, a one-click upgrade is available from the dashboard. Budibase Cloud customers should already be running the patched version on the underlying platform, but it's worth confirming on the official status page.

2. Audit the last 30 days of admin and builder role-change logs. For any period when v3.38.0 or earlier was in production, review access logs for /api/public/v1/roles/assign, /api/global/users/onboard, and /scim/v2/. Any unfamiliar privilege escalations or unexplained account creations should be treated as possible signs of exploitation.

3. Inventory every admin and builder account in the tenant. Eyeball the global admin list to confirm that each account corresponds to someone who actually should be an admin. If CVE-2026-45716 or CVE-2026-48150 was exploited, a "global admin" account no one remembers provisioning may still be sitting there.

4. Inspect datasource configurations against the running system. If CVE-2026-45717 was exploited, Budibase's datasource settings may have been rewritten from external databases to internal IPs. Verify the hostname and IP on each configuration entry against reality to make sure no unexpected destinations have slipped in.

5. Rotate any OAuth2 client secrets used in integrations. CVE-2026-48153's SSRF may have let attackers swap the OAuth2 authorization-token endpoint for an attacker-controlled URL. The safe-side play is to rotate every OAuth client secret on connected services (Slack, Google Workspace, Microsoft Graph, etc.) as a precaution.

6. Don't run with SMTP email configuration left incomplete. The trigger for CVE-2026-45716 was "SMTP not configured." Completing the SMTP configuration restores the correct invitation flow, where new account creation always routes through email. This is a guardrail worth keeping in place permanently, even after the patch is applied.

CISA KEV Status And Related Coverage

As of May 28, 2026, none of the five Budibase CVEs are listed in the CISA KEV catalog. As an open-source low-code platform Budibase sits some distance from CISA KEV's primary audience (US federal agency environments), but its use as a replacement for internal core systems in enterprises is growing, and KEV inclusion can't be ruled out if active exploitation is observed.

On this site we continually update the list of CVEs that CISA has flagged as under active attack — along with their remediation deadlines — on the CISA KEV Dashboard (Japanese). CVE coverage for comparable low-code / no-code platforms (Retool, Appsmith, n8n and others) is tracked together on the OSS supply chain scanner.

The "multi-tenant + layered roles" structure of a low-code platform is shared across the category, and the five authorization-boundary problems Budibase exposed this week will likely be remembered as the incident that pushed comparable audits onto other open-source low-code stacks. For enterprise operators, the most actionable lesson is to drive internal audits across every low-code platform in use, focused on four pillars: the SCIM router, role-assignment APIs, datasource-tampering paths, and SSRF defenses around OAuth2 integration.

References

• ▸ NVD - CVE-2026-46425 (SCIM)
• ▸ NVD - CVE-2026-48150 (roles/assign)
• ▸ NVD - CVE-2026-45716 (users/onboard)
• ▸ NVD - CVE-2026-45717 (datasource)
• ▸ NVD - CVE-2026-48153 (OAuth2 SSRF)
• ▸ GHSA-q9rw-q89f-jx2f (CVE-2026-46425)
• ▸ GHSA-6xp4-cf37-ppjh (CVE-2026-48150)
• ▸ GHSA-c54j-xp92-wh28 (CVE-2026-45716)
• ▸ GHSA-44m2-crh7-f4q2 (CVE-2026-45717)
• ▸ GHSA-4q6h-8p4v-67vq (CVE-2026-48153)
• ▸ Budibase v3.39.0 release notes
• ▸ Budibase official site