CVE-2026-45716 Overview
CVE-2026-45716 is a privilege escalation vulnerability in Budibase, an open-source low-code platform. The flaw exists in the POST /api/global/users/onboard endpoint, which is protected only by the workspaceBuilderOrAdmin middleware. Any authenticated user with builder permissions can invoke this endpoint. When Simple Mail Transfer Protocol (SMTP) email is not configured, which is the default for self-hosted instances, the endpoint bypasses the admin-restricted invite flow. A builder-level user can create a new global admin account and receive the generated password in the HTTP response. The vulnerability is fixed in version 3.38.1.
Critical Impact
A builder-level account can escalate to global administrator on self-hosted Budibase deployments running versions prior to 3.38.1 without SMTP configured.
Affected Products
- Budibase versions prior to 3.38.1
- Self-hosted Budibase instances without SMTP email configuration
- Deployments using the default onboarding workflow
Discovery Timeline
- 2026-05-27 - CVE-2026-45716 published to the National Vulnerability Database (NVD)
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45716
Vulnerability Analysis
The vulnerability resides in Budibase's global user onboarding API. The POST /api/global/users/onboard route is guarded by the workspaceBuilderOrAdmin middleware. This middleware permits any user holding builder privileges within a workspace, not just administrators. The endpoint was designed to bootstrap users through an invite-and-email flow gated to administrators.
When SMTP is unconfigured, the route takes an alternate code path. It calls the bulkCreate user provisioning function directly. The handler accepts role assignments, including admin and builder flags, from the request body without validation against the caller's privilege level. The server returns the newly generated password in the JSON response since no email channel exists to deliver it.
This weakness maps to [CWE-269] Improper Privilege Management. The attack requires only an authenticated builder account and network access to the management API, which is reachable from any client that can speak to the Budibase global server.
Root Cause
The root cause is twofold. First, the authorization middleware does not restrict the onboarding endpoint to global administrators. Second, the SMTP-disabled fallback branch trusts client-supplied role fields and returns the credential plaintext. Together, these design choices allow a low-privileged user to provision arbitrary global admin accounts.
Attack Vector
An attacker authenticates with builder-level credentials, obtainable through legitimate workspace access or compromise of any builder account. The attacker sends a crafted JSON POST request to /api/global/users/onboard containing a new user object with admin: true and builder: true role attributes. The server provisions the account via bulkCreate and returns the generated password. The attacker then authenticates as the new global administrator and takes full control of the tenant, including all workspaces, data sources, and user records.
The vulnerability is exploitable in prose without published proof-of-concept code. See the GitHub Security Advisory for additional technical detail.
Detection Methods for CVE-2026-45716
Indicators of Compromise
- Unexpected POST requests to /api/global/users/onboard originating from non-administrator sessions
- Creation of global admin accounts with no corresponding invite email or audit trail entry
- New user records containing both admin and builder role flags created outside normal provisioning windows
- Authentication events for newly created admin accounts originating from IP addresses associated with builder users
Detection Strategies
- Inspect Budibase application and reverse-proxy access logs for requests to the /api/global/users/onboard route and correlate the caller's session role against the action performed
- Alert on creation of any user with the admin role flag and compare the actor to the approved administrator list
- Compare the count of admin accounts before and after the upgrade to 3.38.1 to identify rogue accounts created prior to patching
Monitoring Recommendations
- Forward Budibase audit logs and HTTP access logs to a centralized log platform for retention and correlation
- Build a detection rule that flags 2xx responses from /api/global/users/onboard paired with role-elevation fields in the request body
- Track administrator account inventory changes on a recurring schedule and require human review of net-new admin entries
How to Mitigate CVE-2026-45716
Immediate Actions Required
- Upgrade all self-hosted Budibase instances to version 3.38.1 or later without delay
- Audit existing global administrator accounts and disable any that cannot be tied to an authorized user
- Rotate credentials for all builder-level accounts to invalidate any session that may have been used to exploit the flaw
- Review user creation logs covering the period before the patch was applied
Patch Information
Budibase released version 3.38.1, which contains the fix for CVE-2026-45716. Refer to the Budibase 3.38.1 Release Notes and the GitHub Security Advisory GHSA-c54j-xp92-wh28 for upgrade guidance.
Workarounds
- Configure SMTP email in the Budibase global settings so the onboarding endpoint takes the admin-restricted invite path instead of the bulk-create fallback
- Restrict network access to the Budibase global server so only trusted administrators can reach /api/global/users/onboard
- Limit the assignment of builder permissions to a minimum set of trusted users until the patch is applied
# Verify the running Budibase version and plan the upgrade
docker inspect budibase/budibase --format '{{.Config.Image}}'
docker pull budibase/budibase:3.38.1
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
