216.73.217.22

CVE-2026-25040

· Published 29/01/2026 22:15 · Modified 29/01/2026 22:15

Labels: CVE-2026-25040 2026-01-29CVE-2026-25040CWE-863[email protected]

Essential information

Published
29/01/2026 22:15
Modified
29/01/2026 22:15
Author
Creator
CVSS
5.7 MEDIUM (v3) 5.7 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
budibase / budibase cpe:2.3:a:budibase:budibase:3.26.3:*:*:*:*:*:*:*
budibase / budibase cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

References