Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Severity:: High

Description

The POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it.

Recommendation

Update the @budibase/worker package to the latest compatible version. Followings are version details:

Affected version(s): < 3.38.1
Patched version(s): 3.38.1

References

GHSA-c54j-xp92-wh28
CVE-2026-45716
CWE-269
CAPEC-310
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity - CVE-2026-33950
Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution - CVE-2026-41208
Cube Core is vulnerable to privilege escalation via a specially crafted request - CVE-2026-25958
StudioCMS has Privilege Escalation via Insecure API Token Generation - CVE-2026-30944

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @budibase/worker

Anything's wrong? Let us know Last updated on May 18, 2026