CVE-2026-25045 Budibase Critical Privilege Escalation & IDOR via Missing RBAC on User Role Management (Creator-Role)

Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR Insecure Direct Object Reference due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who...

PT-2026-5360

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.26.4 Description Budibase is a low code platform used for building internal tools, workflows, and admin panels. A Creator-level user, normally lacking UI permissions to invite users, can manipulate API requests to...

BIT-APPSMITH-2024-55965

An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development information of a workspace specifically, a list of datasources in a workspace they're a member of. This information disclosure does not expose sensitive data in the datasources,...

CVE-2024-55965

An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development information of a workspace specifically, a list of datasources in a workspace they're a member of. This information disclosure does not expose sensitive data in the datasources,...

CVE-2024-55604

Appsmith is a platform to build admin panels, internal tools, and dashboards. Users invited as "App Viewer" should not have access to development information of a workspace. Datasources are such a component in a workspace. Yet, in versions of Appsmith prior to 1.51, app viewers are able to get a...

CVE-2024-55965

An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development information of a workspace specifically, a list of datasources in a workspace they're a member of. This information disclosure does not expose sensitive data in the datasources,...

CVE-2024-55965

An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development information of a workspace specifically, a list of datasources in a workspace they're a member of. This information disclosure does not expose sensitive data in the datasources,...

CVE-2024-55965

An issue was discovered in Appsmith before 1.51. Users invited as "App Viewer" incorrectly have access to development information of a workspace specifically, a list of datasources in a workspace they're a member of. This information disclosure does not expose sensitive data in the datasources,...

CVE-2024-55965

Appsmith before version 1.51 is affected by an information-disclosure issue where users invited as "App Viewer" can access development information for a workspace, specifically listing datasources in that workspace. The root cause is improper access control that permits VIEWER-role users to enume...

CVE-2024-55604

Appsmith prior to v1.51 contains an access-control flaw where users invited as an App Viewer can query the list of datasources in a workspace they belong to. The underlying issue is restricted to development information exposure, not the actual credentials; no sensitive data in datasources is rep...

Appsmith 安全漏洞

Appsmith is an open source platform for building, deploying, and maintaining internal applications from Appsmith Open Source. A security vulnerability exists in Appsmith versions prior to 1.51, which stems from App Viewer's ability to obtain a list of data sources in the workspace, potentially...

PT-2025-12805 · Appsmith · Appsmith

Name of the Vulnerable Software and Affected Versions: Appsmith versions prior to 1.51 Description: The issue concerns an information disclosure where users invited as "App Viewer" can access development information of a workspace, specifically getting a list of datasources. This does not expose...