How is CVE-2026-46425 exploited?

Network reachability (required): The attacker must reach the Budibase worker service over the network; any externally or internally exposed deployment is in scope. Authentication (required): A low-privilege account is sufficient: any valid Budibase session (BASIC role or workspace-scoped builder) satisfies the only credential check in place. Victim interaction (not-required): No victim action is needed; the attacker calls the SCIM endpoints directly without any social-engineering step. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or specific memory layout are required to reach the unprotected SCIM router.

What is the impact of CVE-2026-46425?

Reads the full user and group directory for the tenant, exposing email addresses, role assignments, and account metadata for every user. Creates new user accounts with arbitrary roles, enabling persistent backdoor access to the Budibase tenant. Modifies existing user records and group memberships, allowing privilege escalation or lateral movement within the platform. Deletes users and groups across the entire tenant, causing irreversible disruption to access control and potentially locking out legitimate administrators.

Back to search

CRITICALCVE-2026-46425Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-46425: Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users

Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context). There is no role check. Any authenticated user who reaches the worker (BASIC role, workspace-scoped builder, anyone) can call SCIM endpoints and CRUD every user and group in the tenant. This vulnerability is fixed in 3.38.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authorization bypass vulnerability in Budibase, an open-source low-code platform. Any authenticated user, including those with only a BASIC role, can reach the SCIM (System for Cross-domain Identity Management) API endpoints over the network without needing elevated privileges, because the SCIM router performs no role-based access check. Successful exploitation lets an attacker create, read, update, and delete every user and group across the entire tenant. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Budibase images in private registries and CI pipelines.

Available

Triage

HarborGuard scores this CVE at CVSS 9.9 Critical and is capable of weighting that score against each environment's compliance policy, then routing the finding to the appropriate team inbox within the customer org.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Budibase ships a corrected release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Budibase worker service over the network; any externally or internally exposed deployment is in scope.
AuthenticationRequired
A low-privilege account is sufficient: any valid Budibase session (BASIC role or workspace-scoped builder) satisfies the only credential check in place.
Victim interactionNot required
No victim action is needed; the attacker calls the SCIM endpoints directly without any social-engineering step.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or specific memory layout are required to reach the unprotected SCIM router.

Blast Radius

Reads the full user and group directory for the tenant, exposing email addresses, role assignments, and account metadata for every user.
Creates new user accounts with arbitrary roles, enabling persistent backdoor access to the Budibase tenant.
Modifies existing user records and group memberships, allowing privilege escalation or lateral movement within the platform.
Deletes users and groups across the entire tenant, causing irreversible disruption to access control and potentially locking out legitimate administrators.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for this Critical-severity authorization bypass, HarborGuard continuously monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment Budibase releases version 3.38.2 or later. In the interim, compensating controls can reduce exposure: network policy rules can restrict access to the worker service's SCIM endpoint path to known identity-provider source IPs only; egress filtering can prevent the SCIM API from being reached by internal workloads that have no legitimate need for it; and where Budibase is deployed with feature-flag control over the SCIM config, disabling the SCIM integration at the application level removes the attack surface entirely until a patched image is available. For customers who opt into auto-remediation, HarborGuard will trigger a rebuild, regression run, and PR against affected workloads automatically once the fix version is published upstream.

See how HarborGuard automates this

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Budibase / budibase
< 3.38.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References