CVE-2026-48150 Overview
CVE-2026-48150 is a privilege escalation vulnerability in Budibase, an open-source low-code platform. Versions prior to 3.39.0 expose the /api/public/v1/roles/assign endpoint behind the builderOrAdmin middleware. This middleware accepts both global builders and workspace-scoped builders. The controller then spreads the request body directly into the SDK call, allowing the caller to set builder.global=true or admin.global=true on arbitrary user IDs. A workspace-scoped builder with an API key can promote any account to tenant-wide global administrator with a single POST request. The vulnerability requires an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature and is fixed in version 3.39.0.
Critical Impact
A workspace-scoped builder can escalate any user, including themselves, to global administrator across the entire tenant via a single API call.
Affected Products
- Budibase versions prior to 3.39.0
- Budibase Enterprise deployments with the EXPANDED_PUBLIC_API feature enabled
- Self-hosted and cloud Budibase tenants exposing the public API
Discovery Timeline
- 2026-05-27 - CVE-2026-48150 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-48150
Vulnerability Analysis
The vulnerability is a broken access control flaw [CWE-915] in Budibase's public API. The /api/public/v1/roles/assign endpoint is protected by the builderOrAdmin middleware. This middleware was designed to gate administrative role-assignment functionality, but it admits any caller who is a builder for the app referenced in the x-budibase-app-id header. Workspace-scoped builders, who have builder.apps set but builder.global unset, satisfy this check despite holding only app-level privileges.
The controller then forwards the request body directly into the SDK call without filtering attributes. The SDK applies whatever role flags the caller supplies, including builder.global=true and admin.global=true. This converts an app-scoped role into a tenant-wide administrator role.
Root Cause
The root cause is improper assignment of sensitive fields to a user object [CWE-915]. The middleware authorization scope does not match the privilege scope the underlying SDK operation can grant. Combined with unfiltered propagation of request body attributes into the SDK call, this lets a low-privilege caller mutate high-privilege fields.
Attack Vector
The attacker must hold a valid Budibase API key for a workspace-scoped builder account in a tenant running an Enterprise license with EXPANDED_PUBLIC_API enabled. The attacker sends a POST request to /api/public/v1/roles/assign with the x-budibase-app-id header set to an app they build, and a JSON body specifying target user IDs along with the builder.global=true or admin.global=true fields. The server applies these fields, granting tenant-wide administrative privileges. The attacker can target their own user ID or any other account in the tenant.
No verified exploit code is published. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-48150
Indicators of Compromise
- POST requests to /api/public/v1/roles/assign originating from API keys associated with workspace-scoped builder accounts.
- Audit log entries showing unexpected promotions of user accounts to builder.global=true or admin.global=true.
- Request bodies to the role assignment endpoint that include global role flags from non-global-builder callers.
Detection Strategies
- Inspect Budibase application logs and reverse proxy logs for calls to /api/public/v1/roles/assign and correlate the calling API key's role scope with the granted role scope.
- Diff the set of global administrators and global builders against an authoritative baseline to identify unauthorized elevations.
- Alert on any role-change events where the requester's authorization scope is narrower than the resulting target user's scope.
Monitoring Recommendations
- Enable verbose API access logging on the Budibase public API and forward logs to a centralized analytics platform.
- Monitor for sudden changes in the count of global administrators or global builders across each tenant.
- Track issuance and usage of API keys for workspace-scoped builders, including source IP and request volume.
How to Mitigate CVE-2026-48150
Immediate Actions Required
- Upgrade Budibase to version 3.39.0 or later on all self-hosted and managed deployments.
- Audit current global administrators and global builders, and revoke any unexpected elevated accounts.
- Rotate API keys for all workspace-scoped builder accounts and review their recent activity against the public API.
Patch Information
The vulnerability is fixed in Budibase 3.39.0. The fix restricts the /api/public/v1/roles/assign endpoint so that workspace-scoped builders can no longer assign global role flags. Refer to the Budibase GHSA-6xp4-cf37-ppjh advisory for release details.
Workarounds
- If immediate upgrade is not possible, restrict network access to the /api/public/v1 path so only trusted administrative clients can reach it.
- Disable the EXPANDED_PUBLIC_API feature on Enterprise tenants until the patch is applied.
- Revoke API keys held by workspace-scoped builders until upgrade and verification are complete.
# Configuration example: block the vulnerable endpoint at the reverse proxy
# nginx snippet to deny access to the public roles assign endpoint
location = /api/public/v1/roles/assign {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
