{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@budibase/worker--3.38.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@budibase/worker (\u003c 3.38.1)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","budibase"],"_cs_type":"advisory","_cs_vendors":["Budibase"],"content_html":"\u003cp\u003eA privilege escalation vulnerability (CVE-2026-45716) has been identified in Budibase versions prior to 3.38.1. The vulnerability resides in the \u003ccode\u003e/api/global/users/onboard\u003c/code\u003e endpoint, which is intended for onboarding users. However, when SMTP email configuration is absent (the default in self-hosted instances), the endpoint bypasses the typical admin-restricted invite flow. This allows a user with builder-level permissions to directly create new users with arbitrary roles, including global admin, using the \u003ccode\u003ebulkCreate\u003c/code\u003e function. The generated password for the new admin account is returned in the HTTP response. This vulnerability allows a low-privileged user to gain full administrative control over the Budibase platform.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Budibase instance with a builder-level account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/api/global/users/onboard\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request body includes a JSON payload specifying a new user account with the \u003ccode\u003eadmin\u003c/code\u003e role set to \u003ccode\u003etrue\u003c/code\u003e for the global scope.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eworkspaceBuilderOrAdmin\u003c/code\u003e middleware incorrectly authorizes the request due to the absence of a \u003ccode\u003eworkspaceId\u003c/code\u003e parameter and the worker context.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eonboardUsers\u003c/code\u003e controller checks if SMTP is configured. Since it\u0026rsquo;s not (default self-hosted setup), it skips the intended admin-only invitation path.\u003c/li\u003e\n\u003cli\u003eThe controller directly creates a new user with the attacker-specified \u003ccode\u003eadmin\u003c/code\u003e role using the \u003ccode\u003ebulkCreate\u003c/code\u003e function, without adequate permission validation.\u003c/li\u003e\n\u003cli\u003eThe generated password for the new admin user is included in the HTTP response to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created admin account\u0026rsquo;s credentials to log in and gain complete administrative access to the Budibase platform.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows any builder-level user to escalate their privileges to a global administrator on self-hosted Budibase instances that do not have SMTP configured. A successful attacker gains full platform compromise, including access to all apps, data sources, user management capabilities, and the ability to delete apps or modify platform configurations. The exposure of the generated password in the HTTP response provides immediate access to the new admin account, compounding the severity. This vulnerability affects a significant portion of self-hosted Budibase instances due to the default configuration without SMTP.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.38.1 or later to patch CVE-2026-45716.\u003c/li\u003e\n\u003cli\u003eImplement the recommended fix by modifying \u003ccode\u003e/packages/worker/src/api/routes/global/users.ts\u003c/code\u003e to move the \u003ccode\u003eonboardUsers\u003c/code\u003e route to \u003ccode\u003eadminRoutes\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Budibase onboardUsers Endpoint Abuse\u0026rdquo; to identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview existing user accounts and roles, focusing on builder-level accounts, for any signs of unauthorized privilege escalation using the steps outlined in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eConfigure SMTP to prevent the vulnerable code path from being executed; however, this does not address the underlying authorization issue.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:44:23Z","date_published":"2026-05-18T17:44:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-budibase-privesc/","summary":"A privilege escalation vulnerability exists in Budibase's `onboardUsers` endpoint (CVE-2026-45716) allowing a builder-level user to create global admin accounts by bypassing the intended invite flow when SMTP is not configured, due to insufficient authorization checks and direct user creation with attacker-controlled roles.","title":"Budibase Builder-to-Admin Privilege Escalation via Unsecured onboardUsers Endpoint","url":"https://feed.craftedsignal.io/briefs/2026-05-budibase-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — @Budibase/Worker (\u003c 3.38.1)","version":"https://jsonfeed.org/version/1.1"}