Cyber Resilience

CVE-2026-25040

MediumPublic PoC

Published: 29 January 2026

Published
29 January 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 5.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25040 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Budibase Budibase. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 40.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-25040 is an incorrect authorization vulnerability (CWE-863) in Budibase, a low-code platform for building internal tools, workflows, and admin panels. It affects versions up to and including 3.26.3. A Creator-level user, who lacks UI permissions to invite users, can manipulate API requests to invite new users with any role—including Admin, Creator, or App Viewer—and assign them to any group in the organization. This flaw enables full privilege escalation, bypassing UI restrictions and potentially leading to complete takeover of the workspace or organization. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The attack requires only low privileges (Creator role) and can be carried out remotely with low complexity and no user interaction. An attacker with Creator access crafts and sends manipulated API requests to the Budibase instance, successfully inviting external or controlled accounts with elevated Admin privileges. This grants the invitees full control over the platform, including user management, app deployment, and organization settings, resulting in high confidentiality, integrity, and availability impacts.

As of publication on 2026-01-29T22:15:55.347, no fixed versions are available. Mitigation details are outlined in the Budibase security advisory at https://github.com/Budibase/budibase/security/advisories/GHSA-4wfw-r86x-qxrm, with proof-of-concept details in https://drive.google.com/file/d/1Dtn1WLJILRYUeoMjEbUfCbqQ3g2AW2Qz/view?usp=sharing and https://github.com/user-attachments/files/22066135/budibase-privileged-esc-poc.txt. Security teams should monitor for patches and restrict Creator access where possible.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new…

more

users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
Why these techniques?

Vulnerability is an authorization bypass allowing a Creator user to create/invite new accounts with arbitrary high-privilege roles (Admin etc.), directly enabling privilege escalation via exploitation (T1068) and creation of privileged accounts for takeover (T1136).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25045Same product: Budibase Budibase
CVE-2026-35214Same product: Budibase Budibase
CVE-2026-27702Same product: Budibase Budibase
CVE-2026-35218Same product: Budibase Budibase
CVE-2026-41428Same product: Budibase Budibase
CVE-2026-25041Same product: Budibase Budibase
CVE-2026-33226Same product: Budibase Budibase
CVE-2026-42239Same product: Budibase Budibase
CVE-2026-35216Same product: Budibase Budibase
CVE-2026-25043Same product: Budibase Budibase

Affected Assets

budibase
budibase
≤ 3.26.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on API endpoints to prevent Creator users from bypassing UI restrictions and inviting users with elevated roles.

prevent

Restricts privileges to least necessary, ensuring Creator roles cannot perform unauthorized user invitations or role escalations via API.

prevent

Manages account creation, role assignments, and group memberships to block unauthorized provisioning of elevated privileges by low-privilege users.

References