Cyber Resilience

CVE-2026-25043

Medium

Published: 03 April 2026

Published
03 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0007 20.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25043 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Budibase Budibase. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Email Bombing (T1667); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-25043 is a business logic vulnerability in the password reset functionality of Budibase, an open-source low-code platform. In versions prior to 3.23.25, the "Forgot Password" endpoint lacks rate limiting, CAPTCHA, or other abuse prevention mechanisms, allowing unrestricted repeated requests. This flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), enables excessive resource consumption without authentication requirements.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity by repeatedly submitting password reset requests for the same email address. This results in hundreds of password reset emails being sent in a short time window, facilitating large-scale email flooding, user harassment, and denial-of-service (DoS) attacks against targeted user inboxes. The CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) reflects its moderate impact primarily through limited availability disruption, with potential financial and reputational consequences for Budibase deployments.

The issue has been addressed in Budibase version 3.23.25, as detailed in the project's security advisory (GHSA-277c-prw2-rqgh) and the corresponding patch commit (21bc3f812b2312f082f7683c2abc22d1ecc880c7). Security practitioners should upgrade to the fixed version and review configurations for similar unprotected endpoints to mitigate abuse risks.

EU & UK References

Vulnerability details

Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the “Forgot Password” endpoint. An unauthenticated attacker…

more

can repeatedly trigger password reset requests for the same email address, resulting in hundreds of password reset emails being sent in a short time window. This enables large-scale email flooding, user harassment, denial of service (DoS) against user inboxes, and potential financial and reputational impact for Budibase. This issue has been patched in version 3.23.25.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1667 Email Bombing Impact
Adversaries may flood targeted email addresses with an overwhelming volume of messages.
Why these techniques?

The lack of rate limiting on the unauthenticated password reset endpoint directly enables repeated abuse to trigger mass email sends, mapping to email bombing (T1667) for inbox flooding and harassment.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30240Same product: Budibase Budibase
CVE-2026-25737Same product: Budibase Budibase
CVE-2026-33226Same product: Budibase Budibase
CVE-2026-35216Same product: Budibase Budibase
CVE-2026-25041Same product: Budibase Budibase
CVE-2026-25044Same product: Budibase Budibase
CVE-2026-31818Same product: Budibase Budibase
CVE-2026-25045Same product: Budibase Budibase
CVE-2026-35214Same product: Budibase Budibase
CVE-2026-35218Same product: Budibase Budibase

Affected Assets

budibase
budibase
≤ 3.23.25

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 directly requires denial-of-service protections such as rate limiting on the unauthenticated 'Forgot Password' endpoint to prevent email flooding attacks.

prevent

SI-9 enforces information volume restrictions on inputs to the 'Forgot Password' endpoint, mitigating unlimited repeated requests for the same email address.

prevent

SC-6 allocates resources with defined limits to prevent excessive consumption from repeated password reset requests leading to email DoS.

References