2 matches found
CVE-2026-59093 Weaviate < 1.38.0 - Privilege Escalation via Unchecked Permissions in RBAC Role Assignment
Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. The assignRoleToUser and assignRoleToGroup handlers POST /authz/users/id/assign and /authz/groups/id/assign authorize only that the caller may assign role...
CVE-2026-25040 Budibase Vulnerable to Privilege Escalation via API Abuse – Creator Can Invite Users with Admin/Any Role
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or Ap...