8 matches found
CVE-2026-46424
Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint POST /api/public/v1/roles/unassign updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user...
CVE-2026-46424
Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint POST /api/public/v1/roles/unassign updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user...
CVE-2026-46424 Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint POST /api/public/v1/roles/unassign updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user...
CVE-2026-46424
Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint POST /api/public/v1/roles/unassign updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user...
CVE-2026-46424 Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint POST /api/public/v1/roles/unassign updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user...
EUVD-2026-32597
Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint POST /api/public/v1/roles/unassign updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user...
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
Summary The public API role unassignment endpoint POST /api/public/v1/roles/unassign updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache TTL: 3600 seconds...
PT-2026-42049
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.2 Description The public API role unassignment endpoint "/api/public/v1/roles/unassign" updates user documents in CouchDB but fails to invalidate the corresponding Redis user cache entries. Because the...