CVE-2026-25040
Published: 29 January 2026
Summary
CVE-2026-25040 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Budibase Budibase. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on API endpoints to prevent Creator users from bypassing UI restrictions and inviting users with elevated roles.
Restricts privileges to least necessary, ensuring Creator roles cannot perform unauthorized user invitations or role escalations via API.
Manages account creation, role assignments, and group memberships to block unauthorized provisioning of elevated privileges by low-privilege users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is an authorization bypass allowing a Creator user to create/invite new accounts with arbitrary high-privilege roles (Admin etc.), directly enabling privilege escalation via exploitation (T1068) and creation of privileged accounts for takeover (T1136).
NVD Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new…
more
users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available.
Deeper analysisAI
CVE-2026-25040 is an incorrect authorization vulnerability (CWE-863) in Budibase, a low-code platform for building internal tools, workflows, and admin panels. It affects versions up to and including 3.26.3. A Creator-level user, who lacks UI permissions to invite users, can manipulate API requests to invite new users with any role—including Admin, Creator, or App Viewer—and assign them to any group in the organization. This flaw enables full privilege escalation, bypassing UI restrictions and potentially leading to complete takeover of the workspace or organization. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The attack requires only low privileges (Creator role) and can be carried out remotely with low complexity and no user interaction. An attacker with Creator access crafts and sends manipulated API requests to the Budibase instance, successfully inviting external or controlled accounts with elevated Admin privileges. This grants the invitees full control over the platform, including user management, app deployment, and organization settings, resulting in high confidentiality, integrity, and availability impacts.
As of publication on 2026-01-29T22:15:55.347, no fixed versions are available. Mitigation details are outlined in the Budibase security advisory at https://github.com/Budibase/budibase/security/advisories/GHSA-4wfw-r86x-qxrm, with proof-of-concept details in https://drive.google.com/file/d/1Dtn1WLJILRYUeoMjEbUfCbqQ3g2AW2Qz/view?usp=sharing and https://github.com/user-attachments/files/22066135/budibase-privileged-esc-poc.txt. Security teams should monitor for patches and restrict Creator access where possible.
Details
- CWE(s)