CVE-2026-45716

Budibase vulnerability CVE-2026-45716 affects the onboardUsers endpoint: when SMTP is not configured, POST /api/global/users/onboard allows a builder to create new global admin accounts by injecting attacker-controlled roles, returning the generated password in the response and enabling full priv...

CVE-2026-45716 Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

GHSA-C54J-XP92-WH28 Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Summary The POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances, this endpoint bypasses the admin-restricted invite flo...

Improper Privilege Management

Overview @budibase/builder is a npm install Affected versions of this package are vulnerable to Improper Privilege Management through the onboardUsers function. An attacker can gain unauthorized administrative privileges by sending crafted requests to the affected endpoint, allowing the creation ...