Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Summary The POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances, this endpoint bypasses the admin-restricted invite flo...

EUVD-2026-29341

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, an...

CVE-2026-43913

Vaultwarden (Rust) prior to 1.35.5 exposes a data-loss risk where an authenticated user who is an unconfirmed organization owner can purge the entire organization vault via POST /api/ciphers/purge. The purge check incorrectly validates only membership type Owner, not Confirmed status, allowing a ...

SUSE CVE-2026-34389

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

EUVD-2026-16797

Fleet's user account creation via invite does not enforce invited email address...

Fleet's user account creation via invite does not enforce invited email address

Summary Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address whi...

CVE-2026-34389

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

CVE-2026-34389 Fleet's user account creation via invite does not enforce invited email address

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

CVE-2026-34389 Fleet's user account creation via invite does not enforce invited email address

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

CVE-2026-34389

CVE-2026-34389 affects Fleet open-source device management. Before 4.81.0, the user invitation flow did not validate the invitee’s email during invite acceptance against the email tied to the invite token. An attacker with a valid invite token could create an account under an arbitrary email whil...

EUVD-2025-206239

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user member can invite a high privileged user. At first, the application will throw an error, but if the attacker clicks th...