How is CVE-2026-45716 exploited?

Network reachability (required): The attacker must reach the Budibase API over the network to send a POST request to the onboard endpoint. Authentication (required): Any account with builder-level permissions is sufficient; no admin account is needed. Victim interaction (not-required): No action from another user or administrator is needed to complete the attack. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions or special environmental factors beyond the absence of SMTP configuration, which is the default state for self-hosted instances.

What is the impact of CVE-2026-45716?

The attacker creates a new global admin account with a known password, gaining full administrative control over the Budibase instance. With admin access, the attacker reads all application data, user records, and credentials stored within the platform. The attacker modifies or deletes any application, datasource connection, or user account across the entire Budibase deployment. The attacker can disrupt all hosted applications and automations by altering or removing configurations at the global admin level.

Back to search

HIGHCVE-2026-45716Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-45716: Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation. This vulnerability is fixed in 3.38.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a privilege escalation vulnerability in Budibase, an open-source low-code platform. A user with builder-level permissions can send a crafted POST request to the /api/global/users/onboard endpoint, which skips the admin-restricted invite flow when SMTP email is not configured (the default for self-hosted instances), and directly creates a new global admin account, receiving the plaintext password in the response. Successful exploitation gives the attacker full administrative control over the Budibase instance. A patched-image rebuild at version 3.38.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Budibase images. Any image carrying a Budibase version below 3.38.1 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and can weight it against each environment's compliance policy to determine urgency and routing. Triage alerts are directed to the team or inbox designated by each customer organization's notification configuration.

Available

Patch

A patched-image rebuild at Budibase 3.38.1 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Budibase API over the network to send a POST request to the onboard endpoint.
AuthenticationRequired
Any account with builder-level permissions is sufficient; no admin account is needed.
Victim interactionNot required
No action from another user or administrator is needed to complete the attack.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions or special environmental factors beyond the absence of SMTP configuration, which is the default state for self-hosted instances.

Blast Radius

The attacker creates a new global admin account with a known password, gaining full administrative control over the Budibase instance.
With admin access, the attacker reads all application data, user records, and credentials stored within the platform.
The attacker modifies or deletes any application, datasource connection, or user account across the entire Budibase deployment.
The attacker can disrupt all hosted applications and automations by altering or removing configurations at the global admin level.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against all customer images within minutes of publication, covering both official Budibase images and custom-built derivatives. For environments confirmed to be running an affected version (below 3.38.1), a patched-image rebuild at 3.38.1 is available. For customers with auto-remediation enabled, HarborGuard initiates a rebuild, executes regression tests, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where auto-remediation is not enabled, customers receive a prioritized alert routed according to their team notification settings. As an interim compensating control, customers can restrict network access to the /api/global/users/onboard endpoint via network policy or ingress rules, and can verify whether SMTP is configured to understand their exposure level.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Budibase / budibase
< 3.38.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References