CVE-2026-46425 Overview
CVE-2026-46425 is a missing authorization vulnerability in Budibase, an open-source low-code platform. The flaw resides in the System for Cross-domain Identity Management (SCIM) router defined in packages/worker/src/api/routes/global/scim.ts. The router attaches only the requireSCIM and doInScimContext middlewares, neither of which enforces a role check. Any authenticated user who reaches the worker service can invoke SCIM endpoints and create, read, update, or delete every user and group in the tenant. Budibase has fixed the issue in version 3.38.2.
Critical Impact
Any low-privileged authenticated user can take full control over tenant identity data, including provisioning, modifying, and deleting users and groups across the entire Budibase tenant.
Affected Products
- Budibase versions prior to 3.38.2
- Budibase worker service exposing SCIM routes
- Self-hosted Budibase deployments with the Enterprise SCIM feature enabled
Discovery Timeline
- 2026-05-27 - CVE-2026-46425 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46425
Vulnerability Analysis
The vulnerability is a Broken Access Control issue classified as [CWE-862] Missing Authorization. Budibase exposes SCIM endpoints from the worker service to support identity provisioning. The SCIM router in packages/worker/src/api/routes/global/scim.ts chains only two middlewares: requireSCIM, which verifies the Enterprise feature flag and SCIM configuration, and doInScimContext, which sets request-scoped context. Neither middleware enforces an administrative role. As a result, authorization for these privileged endpoints reduces to authentication alone, breaking the principle of least privilege for tenant identity management.
Root Cause
The root cause is the absence of a role-gating middleware on the SCIM router. Budibase enforces role checks (for example, builder or admin roles) elsewhere through dedicated middlewares, but the SCIM routes were registered without one. Because SCIM operations directly mutate user and group records, the missing check elevates the effective privilege of every authenticated session that can reach the worker.
Attack Vector
An attacker with any authenticated Budibase account, including a BASIC role user or a workspace-scoped builder, sends SCIM HTTP requests to the worker service. The requests pass requireSCIM because SCIM is enabled on the tenant, and doInScimContext simply sets context. The attacker can then issue SCIM POST, PUT, PATCH, and DELETE operations against /Users and /Groups endpoints to enumerate accounts, create new privileged users, reset attributes, or delete legitimate accounts. This leads to full tenant takeover of identity data and downstream compromise of workspaces relying on those identities.
No verified public exploit code is available. See the GitHub Security Advisory for vendor-published technical details.
Detection Methods for CVE-2026-46425
Indicators of Compromise
- Unexpected SCIM requests in worker access logs from sessions associated with BASIC role users or workspace-scoped builders.
- Creation, modification, or deletion of users and groups via /api/global/scim/v2/Users or /api/global/scim/v2/Groups outside of the configured identity provider source IP ranges.
- New administrator or builder accounts appearing in the tenant without a corresponding change request.
Detection Strategies
- Correlate SCIM endpoint access with the authenticated session's role claim and alert when the role is not admin.
- Baseline expected SCIM client identities (IdP service principals) and flag any deviation in user-agent, source IP, or token subject.
- Review audit logs for bulk user or group CRUD operations occurring within short time windows.
Monitoring Recommendations
- Enable verbose request logging on the Budibase worker and forward logs to a centralized SIEM for retention and search.
- Monitor for HTTP 2xx responses on SCIM routes paired with non-IdP source identities.
- Alert on identity changes that bypass the standard provisioning workflow, including out-of-hours user creation or deletion.
How to Mitigate CVE-2026-46425
Immediate Actions Required
- Upgrade Budibase to version 3.38.2 or later on all worker instances.
- Audit tenant users and groups for unauthorized accounts created or modified before the upgrade.
- Rotate credentials and session tokens for any account that may have been altered via SCIM.
Patch Information
The vulnerability is fixed in Budibase 3.38.2. The patch adds a role-enforcing middleware to the SCIM router so that only authorized identities can invoke SCIM endpoints. Refer to the Budibase 3.38.2 Release Notes and the GitHub Security Advisory GHSA-q9rw-q89f-jx2f for full details.
Workarounds
- If immediate patching is not possible, disable the SCIM feature in tenant configuration to remove the vulnerable routes from the request path.
- Restrict network access to the worker SCIM endpoints to known identity provider source addresses using a reverse proxy or web application firewall.
- Temporarily revoke Enterprise SCIM licensing on tenants where SCIM is not actively used, which causes requireSCIM to reject requests.
# Example reverse proxy rule restricting SCIM endpoints to the IdP source range
location /api/global/scim/ {
allow 203.0.113.0/24; # Identity provider egress range
deny all;
proxy_pass http://budibase_worker;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
