CVE-2026-46424 Overview
CVE-2026-46424 affects Budibase, an open-source low-code platform for building internal tools and applications. The vulnerability exists in versions prior to 3.38.2 and stems from a cache invalidation flaw in the public API role unassignment endpoint. When administrators revoke roles through POST /api/public/v1/roles/unassign, Budibase updates user documents in CouchDB but fails to invalidate the corresponding Redis user cache entries. The authentication middleware resolves user identity and permissions from this stale cache, allowing revoked users to retain admin, builder, or app-level privileges for up to one hour. The flaw is classified as Improper Privilege Management [CWE-269].
Critical Impact
Users with revoked admin, builder, or app-level roles retain their privileges for up to 3600 seconds (1 hour) after revocation due to stale Redis cache entries.
Affected Products
- Budibase versions prior to 3.38.2
- Budibase public API role management endpoints
- Self-hosted and cloud Budibase deployments using the public API for role administration
Discovery Timeline
- 2026-05-27 - CVE-2026-46424 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46424
Vulnerability Analysis
The vulnerability resides in Budibase's authentication and authorization pipeline. Budibase uses CouchDB as its primary user store and Redis as a performance cache for user identity and permission lookups. The authentication middleware reads from the Redis cache on every request to avoid repeated CouchDB queries. Cache entries carry a time-to-live (TTL) of 3600 seconds.
The public API endpoint POST /api/public/v1/roles/unassign correctly updates the user document in CouchDB to reflect role removal. However, it does not issue a corresponding cache invalidation for the affected user's Redis entry. As a result, the authentication middleware continues to serve the pre-revocation role set until the cache entry expires naturally.
Root Cause
The root cause is a missing cache invalidation step in the role unassignment code path. Write operations through the public API update the authoritative data store but bypass the cache coherence logic that other administrative paths invoke. This produces a stale-read window equal to the cache TTL.
Attack Vector
Exploitation requires that a user already hold elevated roles in Budibase. After an administrator revokes those roles via the public API, the user can continue calling builder or admin endpoints using their existing session or API key for up to one hour. The attacker performs no special action beyond continuing to use credentials they already possess. The flaw is exploitable over the network but requires low privileges and a narrow timing window, which limits practical impact.
No public proof-of-concept code is available. See the GitHub Security Advisory GHSA-6vp2-6r7m-2jvx for vendor technical details.
Detection Methods for CVE-2026-46424
Indicators of Compromise
- Successful authenticated requests to builder or admin endpoints from a user account whose roles were recently revoked through /api/public/v1/roles/unassign.
- Discrepancy between the role set recorded in CouchDB user documents and the role set observed in active session activity within a one-hour window.
- Audit log entries showing role unassignment followed by continued privileged API calls from the same user identifier.
Detection Strategies
- Correlate role revocation events from the public API against subsequent authenticated requests by the same user within 3600 seconds.
- Compare effective permissions used per request against the current CouchDB user document state to surface stale-cache authorizations.
- Alert on any privileged action (app modification, user management, builder operations) performed by accounts that have had roles unassigned in the last hour.
Monitoring Recommendations
- Enable verbose access logging on the Budibase public API and forward logs to a centralized SIEM for correlation.
- Track Redis cache hit and invalidation metrics for the user permission keyspace to identify abnormal TTL expiry patterns.
- Monitor for usage of POST /api/public/v1/roles/unassign and flag the assigned user for elevated review during the cache TTL window.
How to Mitigate CVE-2026-46424
Immediate Actions Required
- Upgrade Budibase to version 3.38.2 or later, which fixes the cache invalidation logic on role unassignment.
- After any role revocation performed via the public API on a vulnerable version, manually flush the affected user's Redis cache entry or restart the Redis cache to force re-resolution from CouchDB.
- Revoke and rotate API keys and active sessions belonging to users whose roles have been downgraded.
Patch Information
The vulnerability is fixed in Budibase 3.38.2. Release notes and the patched build are available in the Budibase 3.38.2 GitHub Release. Vendor remediation details are documented in the GitHub Security Advisory GHSA-6vp2-6r7m-2jvx.
Workarounds
- Avoid using the public API role unassignment endpoint on vulnerable versions; perform role changes through administrative interfaces that correctly invalidate the cache.
- Reduce the Redis user cache TTL to shorten the stale-permission window until the patch is applied.
- Manually delete the affected user's Redis cache key immediately after each role unassignment to force a fresh CouchDB lookup on the next request.
# Example: manually invalidate a Budibase user cache entry in Redis after role unassignment
# Replace <user_id> with the affected user's global identifier
redis-cli DEL "user:<user_id>"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
