Description

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available.

INFO

Published Date :

2026-01-29T21:33:57.328Z

Last Modified :

2026-02-02T16:35:49.534Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25040 vulnerability.

Vendors Products
Budibase
  • Budibase
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25040.

URL Resource
https://drive.google.com/file/d/1Dtn1WLJILRYUeoMjEbUfCbqQ3g2AW2Qz/view?usp=sharing cve-icon cve-icon
https://github.com/Budibase/budibase/security/advisories/GHSA-4wfw-r86x-qxrm cve-icon cve-icon
https://github.com/user-attachments/files/22066135/budibase-privileged-esc-poc.txt cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact