CVE-2026-25045
Budibase Critical Privilege Escalation & IDOR via Missing RBAC on User Role Management (Creator-Role)
Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who should have no permissions to manage users or organizational roles, can instead promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or modify the Ownerβs account details and all orders (e.g., change name). This is because the API accepts these actions without validating the requesting role, a Creator can replay Owner-only requests using their own session tokens. This leads to full tenant compromise.
| CWE | CWE-862 |
| Vendor | budibase |
| Product | budibase |
| Published | Mar 9, 2026 |
| Last Updated | Mar 9, 2026 |
Get instant alerts for budibase budibase
Be the first to know when new unknown vulnerabilities affecting budibase budibase are published β delivered to Slack, Telegram or Discord.