Budibase Privilege Escalation Vulnerability Allowing Unauthorized User Invitations

A critical privilege escalation vulnerability has been identified in Budibase versions through 3.26.3. This issue allows Creator-level users, who typically lack the permission to invite users, to manipulate API requests and invite new users with any role—Admin, Creator, or App Viewer. The vulnerability also enables assignment to any group within the organization, potentially leading to a complete takeover of the workspace or organization. The API fails to enforce role-based access controls, allowing unauthorized actions to go undetected.

Impact

Exploitation of this vulnerability allows Creator users to gain Admin privileges or any other role, bypassing UI restrictions. This access enables them to invite users, manage group assignments, and perform all CRUD operations within the workspace. Such actions could disrupt organizational operations and compromise sensitive data.

Reproduction

To reproduce this vulnerability, log in as a Creator user and confirm that there is no option to invite users through the UI. Next, intercept a standard API request, such as one that updates your profile. Modify this request to call the user invitation endpoint, adding the desired user roles and group assignments in the request body. Send the modified request, and the invited user will appear in the pending invites with the assigned privileges.

Remediation

Budibase should implement strict server-side role-based access control checks for all API endpoints that manage users, roles, or group memberships. Additionally, logging and alerting on privilege escalation attempts from low-privilege accounts could help detect and address such abuses.