Budibase: Workspace-Scoped Builder Escalates to Global Admin via Public API Role Assignment
critical-cve-against-dependency · active
A privilege-escalation flaw in Budibase lets any workspace-scoped (app-level) builder with an API key promote themselves or any user to global tenant administrator with a single POST to `/api/public/v1/roles/assign`. Global admin grants unrestricted access to every app, user, datasource credential, automation, and identity config in the tenant. The issue affects Enterprise tenants with the EXPANDED_PUBLIC_API feature enabled.
Affected packages
- npmbudibase