CVE-2026-25043
Published: 03 April 2026
Summary
CVE-2026-25043 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Budibase Budibase. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Email Bombing (T1667); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 directly requires denial-of-service protections such as rate limiting on the unauthenticated 'Forgot Password' endpoint to prevent email flooding attacks.
SI-9 enforces information volume restrictions on inputs to the 'Forgot Password' endpoint, mitigating unlimited repeated requests for the same email address.
SC-6 allocates resources with defined limits to prevent excessive consumption from repeated password reset requests leading to email DoS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The lack of rate limiting on the unauthenticated password reset endpoint directly enables repeated abuse to trigger mass email sends, mapping to email bombing (T1667) for inbox flooding and harassment.
NVD Description
Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the “Forgot Password” endpoint. An unauthenticated attacker…
more
can repeatedly trigger password reset requests for the same email address, resulting in hundreds of password reset emails being sent in a short time window. This enables large-scale email flooding, user harassment, denial of service (DoS) against user inboxes, and potential financial and reputational impact for Budibase. This issue has been patched in version 3.23.25.
Deeper analysisAI
CVE-2026-25043 is a business logic vulnerability in the password reset functionality of Budibase, an open-source low-code platform. In versions prior to 3.23.25, the "Forgot Password" endpoint lacks rate limiting, CAPTCHA, or other abuse prevention mechanisms, allowing unrestricted repeated requests. This flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), enables excessive resource consumption without authentication requirements.
An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity by repeatedly submitting password reset requests for the same email address. This results in hundreds of password reset emails being sent in a short time window, facilitating large-scale email flooding, user harassment, and denial-of-service (DoS) attacks against targeted user inboxes. The CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) reflects its moderate impact primarily through limited availability disruption, with potential financial and reputational consequences for Budibase deployments.
The issue has been addressed in Budibase version 3.23.25, as detailed in the project's security advisory (GHSA-277c-prw2-rqgh) and the corresponding patch commit (21bc3f812b2312f082f7683c2abc22d1ecc880c7). Security practitioners should upgrade to the fixed version and review configurations for similar unprotected endpoints to mitigate abuse risks.
Details
- CWE(s)