Keys to the Kingdom: Critical 9.9 CVSS Budibase Flaw Allows Total Tenant Takeover

Budibase, the popular open-source operations platform known for saving engineers hundreds of hours building secure Agents, Apps, and Automations, has disclosed a massive security flaw. Tracked as CVE-2026-46425, this vulnerability boasts a near-maximum CVSS base score of 9.9, highlighting a severe authorization bypass that threatens enterprise environments.

At the heart of the issue is a missing security check that essentially hands the keys to the kingdom to any basic user on the platform.

The vulnerability stems from the fact that Budibase’s System for Cross-domain Identity Management (SCIM) endpoints completely lack role-based authorization.

According to the vulnerability report, the routing code located at packages/worker/src/api/routes/global/scim.ts only attaches two specific middlewares to the SCIM router. These middlewares are requireSCIM (which checks the SCIM configuration and the Enterprise feature flag) and doInScimContext (which sets up the SCIM request context). Crucially, there is no role check enforced during this process.

As a result, any authenticated user capable of reaching the worker—even those with a standard “BASIC” role or acting as a workspace-scoped builder—can directly call SCIM endpoints. This allows them to Create, Read, Update, and Delete (CRUD) every user and group within the tenant.

Interestingly, the platform’s standard APIs were properly secured. As the report points out, “The non-SCIM equivalents at /api/global/groups already enforce auth.adminOnly; the SCIM routes are the missing half of that pair”.

If an Enterprise tenant has SCIM turned on, this missing check allows any authenticated user—including plain BASIC app users—to execute highly sensitive, admin-only operations.

The fallout of this vulnerability is extensive:

• Massive Privacy Breach: An attacker can list every single user in the tenant. This leaks sensitive PII, including names, emails, and group memberships.
• Creation of Ghost Identities: Malicious actors can create entirely new users equipped with arbitrary attributes and an isSync: true flag. Because of this flag, downstream UIs will falsely display these rogue accounts as officially provisioned identities.
• Total Account Takeovers: The flaw allows an attacker to change any existing user’s userName or email. Since Budibase uses the email address as the core login identifier and the target for password resets, changing it easily escalates into a full account takeover of that victim.
• Targeting the Admins: Attackers have the power to deactivate or completely delete any users on the platform, including the actual administrators.
• Role Escalation via Groups: Threat actors can freely modify group memberships. Because groups in Budibase can carry specific role assignments, an attacker can simply move a user into an attacker-controlled group, immediately granting them whichever administrative or elevated role that group holds.

The vulnerability is confirmed to affect all Budibase versions prior to 3.38.2.

Fortunately, the development team has successfully resolved the issue. Administrators running vulnerable instances must update their deployments to the fully patched version, 3.38.2, immediately to prevent unauthorized tenant manipulation.