CVE-2026-25045
Published: 09 March 2026
Summary
CVE-2026-25045 is a high-severity Missing Authorization (CWE-862) vulnerability in Budibase Budibase. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces server-side RBAC checks on /api/global/users endpoints to prevent Creator-level users from performing unauthorized Owner-level actions like user promotion or account modification.
Implements least privilege to restrict Creator users from escalating privileges to manage organizational roles or modify tenant admin accounts.
Validates inputs such as user IDs in API requests to mitigate the IDOR component allowing unauthorized access to and modification of other users' accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing server-side RBAC authorization checks enable an authenticated low-privileged user to arbitrarily modify roles and account details, directly facilitating vertical privilege escalation (T1068) and account manipulation such as role promotion to Tenant Admin (T1098).
NVD Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A…
more
Creator-level user, who should have no permissions to manage users or organizational roles, can instead promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or modify the Owner’s account details and all orders (e.g., change name). This is because the API accepts these actions without validating the requesting role, a Creator can replay Owner-only requests using their own session tokens. This leads to full tenant compromise.
Deeper analysisAI
CVE-2026-25045 is a vulnerability in Budibase, a low-code platform for creating internal tools, workflows, and admin panels. It combines vertical privilege escalation and insecure direct object reference (IDOR), classified under CWE-862, due to missing server-side role-based access control (RBAC) checks in the /api/global/users endpoints. Published on 2026-03-09, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by a Creator-level user, who normally has no permissions to manage users or organizational roles. Such an attacker can promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or modify the Owner’s account details and all orders (e.g., change name). Exploitation occurs by replaying Owner-only requests using the attacker's own session tokens, as the API accepts these actions without validating the requesting role, leading to full tenant compromise.
Mitigation details are available in the Budibase security advisory at https://github.com/Budibase/budibase/security/advisories/GHSA-2g39-332f-68p9.
Details
- CWE(s)