Budibase Privilege Escalation and IDOR Vulnerability Allowing Tenant Takeover

A critical vulnerability in Budibase's low-code platform for internal tools and workflows allows for vertical privilege escalation and insecure direct object reference (IDOR). This issue arises from missing server-side role-based access control (RBAC) checks in the '/api/global/users' endpoint. A user with Creator-level permissions, who should not have the ability to manage users or organizational roles, can exploit this vulnerability to promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or alter the Owner's account details and orders. The API fails to validate the requesting user's role, enabling Creators to replay Owner-only requests using their session tokens, resulting in a complete compromise of the tenant.

Impact

Exploitation of this vulnerability allows a Creator role user to manipulate user roles within the organization, including promoting themselves or others to Tenant Admin, demoting Tenant Admins to App Users, and impersonating the Owner by modifying their account details. This unauthorized access and role manipulation can disrupt business operations, cause data exfiltration, and create compliance risks.

Reproduction

To reproduce this vulnerability, log in as a user with Owner privileges and intercept a request that involves promoting an App Viewer to Tenant Admin, demoting a Tenant Admin to App Viewer, or changing the Owner's name. Then, log out and log in as a Creator role user. Capture a benign request from the Creator, such as updating their profile, and replace the session token values with those of the Creator. Send the modified request, which will be accepted by the server, thereby executing unauthorized changes. Finally, log back in as the Owner to verify the changes through the user management interface.

Remediation

Budibase should implement strict server-side RBAC checks on the '/api/global/users' endpoint, preventing Creator roles from modifying user details. Additionally, the principle of least privilege should be applied to backend logic to ensure that users can only perform actions appropriate to their roles.