EXECUTIVE SUMMARY:
CVE-2026-45716 with a CVSS score of 8.8 is a privilege escalation vulnerability in the Budibase 'worker' package affecting versions less than 3.38.1. The vulnerability arises from the "POST /api/global/users/onboard" endpoint being accessible to builder-level users, allowing arbitrary admin and builder role assignments from the request body when SMTP email configuration is not set, a default for self-hosted Budibase instances. An attacker can exploit this vulnerability by authenticating as a builder user, creating a new global admin account via the onboard endpoint with session cookie and specifying the admin role in the request, thereby achieving full privilege escalation. This capability gains the attacker full administrative access to the Budibase instance, allowing them to modify or delete data, access sensitive information, and potentially disrupt the entire system. If exploited, this vulnerability could have severe business consequences, including data breaches, system compromise, and reputational damage, and is therefore considered HIGH severity. Prerequisites for exploitation include a self-hosted Budibase instance with no SMTP configured and a user account with builder-level access.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45716 with a CVSS score of 8.8 is a privilege escalation vulnerability in the Budibase 'worker' package affecting versions less than 3.38.1. The vulnerability arises from the "POST /api/global/users/onboard" endpoint being accessible to builder-level users, allowing arbitrary admin and builder role assignments from the request body when SMTP email configuration is not set, a default for self-hosted Budibase instances. An attacker can exploit this vulnerability by authenticating as a builder user, creating a new global admin account via the onboard endpoint with session cookie and specifying the admin role in the request, thereby achieving full privilege escalation. This capability gains the attacker full administrative access to the Budibase instance, allowing them to modify or delete data, access sensitive information, and potentially disrupt the entire system. If exploited, this vulnerability could have severe business consequences, including data breaches, system compromise, and reputational damage, and is therefore considered HIGH severity. Prerequisites for exploitation include a self-hosted Budibase instance with no SMTP configured and a user account with builder-level access.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-c54j-xp92-wh28