HarborGuard / CVE
Back to search
CRITICALCVE-2026-48150Published Modified CNA GitHub_M

CVE-2026-48150: Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign

Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature. This vulnerability is fixed in 3.39.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a privilege escalation vulnerability in Budibase, an open-source low-code platform. A workspace-scoped builder (a user with app-level builder access but no global permissions) can send a single authenticated POST request over the network to the /api/public/v1/roles/assign endpoint and promote any user, including themselves, to global admin. Successful exploitation gives the attacker full tenant-wide administrative control, affecting the confidentiality and integrity of all data in the Budibase instance. A patched-image rebuild at version 3.39.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-48150 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Budibase images, in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 9.0 (Critical) and surfaces it accordingly in triage queues, with per-environment compliance policy weighting applied to prioritize it against each customer org's risk thresholds. Routing to the appropriate team inbox within each customer organization is available through HarborGuard's policy-driven alert configuration.

Available
Patch

No upstream fix version has been published for this CVE yet. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Budibase ships a confirmed fix release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Budibase API service via HTTP/HTTPS to send the malicious POST request.

  • AuthenticationRequired

    An admin or privileged account is not needed, but the attacker must hold a valid API key tied to a workspace-scoped builder account, making any such app-level builder credential sufficient.

  • Victim interactionNot required

    No victim action is required; the attacker sends the API request directly and the escalation completes server-side without any interaction from another user.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker supplies a well-formed POST body to a single endpoint and the SDK grants global admin unconditionally due to the missing scope check.

Blast Radius

  • Attacker promotes themselves or any other user to global admin, gaining unrestricted control over the entire Budibase tenant.
  • All application data, connected data sources, and user records across the tenant become readable to the attacker.
  • Attacker can modify or delete any application, database row, automation, or user account within the tenant.
  • Service availability is partially at risk; the CVSS A:L token indicates the attacker can degrade but not fully crash the platform through the same privilege abuse.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged as Critical (CVSS 9.0) and is actively monitored across every ingest cycle against images containing Budibase components. Because no upstream fix version has been published, HarborGuard cannot yet generate a patched-image rebuild, but the advisory is re-evaluated on each ingest run so the rebuild becomes available automatically the moment Budibase releases version 3.39.0 or equivalent. In the interim, compensating controls available through HarborGuard's policy engine include flagging any image containing an affected Budibase version as non-compliant for promotion to production, and enabling network-policy isolation rules that restrict access to the /api/public/v1/roles/assign endpoint to trusted internal CIDR ranges only. For customers who have auto-remediation enabled, the rebuild-plus-PR flow will trigger immediately once the upstream fix is ingested, with median time from CVE publication to merged patch PR for Critical-severity issues around 90 minutes in qualifying environments.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.0
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • Budibase / budibase
    < 3.39.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
References