Home > Vulnerability Database > CVE-2026-25040

Mend.io Vulnerability Database

CVE-2026-25040

Good to know:

Date: January 29, 2026

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available.

Severity Score

6.5

Related Resources (5)

Url: https://github.com/user-attachments/files/22066135/budibase-privileged-esc-poc.txt

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-25040

Url: https://drive.google.com/file/d/1Dtn1WLJILRYUeoMjEbUfCbqQ3g2AW2Qz/view?usp=sharing

Url: https://github.com/Budibase/budibase/security/advisories/GHSA-4wfw-r86x-qxrm

Url: https://www.mend.io/vulnerability-database/CVE-2026-25040

Severity Score

6.5

Weakness Type (CWE)

Incorrect Authorization

CWE-863

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-25040

Good to know:

Date: January 29, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?