CVE-2026-25045

CVE-2026-25045 is a high-severity vulnerability in Budibase with a CVSS 3.x base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-862.

Key facts

Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who should have no permissions to manage users or organizational roles, can instead promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or modify the Owner’s account details and all orders (e.g., change name). This is because the API accepts these actions without validating the requesting role, a Creator can replay Owner-only requests using their own session tokens. This leads to full tenant compromise.

Frequently asked questions

What is CVE-2026-25045?
Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who should have no permissions to manage users or organizational roles, can instead promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or modify the Owner’s account details and all orders (e.g., change name). This is because the API accepts these actions without validating the requesting role, a Creator can replay Owner-only requests using their own session tokens. This leads to full tenant compromise.
How severe is CVE-2026-25045?
CVE-2026-25045 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2026-25045 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (21st percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-25045?
CVE-2026-25045 affects Budibase. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-25045?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2026-25045 have an EU (EUVD) identifier?
Yes. CVE-2026-25045 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-10354.
When was CVE-2026-25045 published?
CVE-2026-25045 was published on 2026-03-09 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Budibase

All CVEs affecting Budibase →

Other CWE-862 (Missing Authorization) vulnerabilities

Browse all CWE-862 (Missing Authorization) vulnerabilities →