CVE-2026-25043

MEDIUM 5.3

Budibase: Unauthenticated Password Reset Endpoint Lacks Rate Limiting, Enabling Email Flooding

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the “Forgot Password” endpoint. An unauthenticated attacker can repeatedly trigger password reset requests for the same email address, resulting in hundreds of password reset emails being sent in a short time window. This enables large-scale email flooding, user harassment, denial of service (DoS) against user inboxes, and potential financial and reputational impact for Budibase. This issue has been patched in version 3.23.25.

CWE	CWE-770
Vendor	budibase
Product	budibase
Published	Apr 3, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for budibase budibase

Be the first to know when new medium vulnerabilities affecting budibase budibase are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

Budibase / budibase

< 3.23.25

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh github.com: https://github.com/Budibase/budibase/commit/21bc3f812b2312f082f7683c2abc22d1ecc880c7