CVE-2026-45716
HighSummary
Budibase is an open-source low-code platform that prior to version 3.38.1 had a vulnerability in the POST /api/global/users/onboard endpoint. This allows builder-level users to create new global admin accounts, leading to privilege escalation.
Risk Assessment
Organizations may be exposed to unauthorized creation of admin accounts, which can lead to serious security breaches and loss of control over the system.
Recommendation
It is recommended to update Budibase to version 3.38.1 or later to mitigate this vulnerability and configure SMTP for additional security.
Original NVD description (English source)
Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation. This vulnerability is fixed in 3.38.1.

