CVE-2026-48150— Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48150
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
Source: NVD (National Vulnerability Database)
Vulnerability Description
Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature. This vulnerability is fixed in 3.39.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-915
Source: NVD (National Vulnerability Database)
Vulnerability Title
Budibase 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Budibase是英国Budibase开源的一个用于在几分钟内创建内部应用程序、工作流和管理面板的低代码平台。 Budibase 3.39.0之前版本存在安全漏洞,该漏洞源于/api/public/v1/roles/assign端点受builderOrAdmin中间件保护但检查不充分,可能导致工作区范围的构建者提升自身或他人为全局管理员。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-48150
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48150
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-48150 (1)
Same Patch Batch · Budibase · 2026-05-27 · 20 CVEs total
| CVE-2026-46425 | 9.9 CRITICAL | Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users |
| CVE-2026-45716 | 8.8 HIGH | Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Con |
| CVE-2026-45717 | 8.8 HIGH | Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permissio |
| CVE-2026-48153 | 8.5 HIGH | Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata |
| CVE-2026-48149 | 8.1 HIGH | Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via Markdo |
| CVE-2026-48152 | 8.1 HIGH | Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasour |
| CVE-2026-46427 | 7.7 HIGH | Budibase: Snowflake private key returned unmasked from datasource API to BASIC users |
| CVE-2026-45061 | 7.7 HIGH | Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`) |
| CVE-2026-48146 | 7.7 HIGH | Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection |
| CVE-2026-45548 | 7.7 HIGH | Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation |
| CVE-2026-45715 | 7.7 HIGH | Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration |
| CVE-2026-46426 | 7.6 HIGH | Budibase: Unrestricted Upload of File with Dangerous Type |
| CVE-2026-48151 | 7.5 HIGH | Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of |
| CVE-2026-48147 | 6.5 MEDIUM | Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection |
| CVE-2026-45719 | 6.5 MEDIUM | Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API |
| CVE-2026-45718 | 5.4 MEDIUM | Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on |
| CVE-2026-46424 | 4.2 MEDIUM | Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users |
| CVE-2026-48128 | Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step | |
| CVE-2026-48148 | Budibase: Unvalidated VectorDB Host Parameter Enables SSRF |
IV. Related Vulnerabilities
Same product: budibase
- CVE-2026-48147
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypa - CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF - CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missin - CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource I - CVE-2026-45716
Budibase: Builder-to-Admin Privilege Escalation via onboardU
Same vendor: Budibase
- CVE-2026-48147
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypa - CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF - CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missin - CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource I - CVE-2026-45716
Budibase: Builder-to-Admin Privilege Escalation via onboardU
Same weakness: CWE-915
- CVE-2026-8327
Concrete CMS below 9.5.0 and below is vulnerable to password - CVE-2026-6366
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2 - CVE-2026-46721
Broken Access Control in extension "Frontend User Registrati - CVE-2026-45396
Open WebUI: Mass Assignment via FeedbackForm extra=allow All - CVE-2026-45229
Quark Drive (quark-auto-save) < 0.8.5 Mass Assignment via PO
V. Comments for CVE-2026-48150
No comments yet