Budibase, Privilege Escalation via Onboard Endpoint, CVE (unknown) (Critical)

Listen to this Post

The vulnerability exists in the `POST /api/global/users/onboard` endpoint, which is incorrectly protected by `workspaceBuilderOrAdmin` middleware instead of adminRoutes. On self-hosted Budibase instances where SMTP is not configured (the default), this endpoint does not fall back to the admin-only invite flow. Instead, it directly calls `bulkCreate` to create users. A builder-level attacker can supply a request body containing `”admin”:{“global”:true}` or "builder":true. The `buildInviteMultipleValidation` Joi schema accepts `userInfo` as an optional object with no constraints, so the malicious `admin` and `builder` fields pass through. The middleware `workspaceBuilderOrAdmin.ts` checks `!workspaceId && env.isWorker()` – true for this endpoint – and only verifies hasBuilderPermissions, not admin rights. The `onboardUsers` controller then generates a 12-character password, creates the user document in CouchDB without stripping elevated roles, and returns the password in the response. The attacker can immediately log in as a global admin, achieving full privilege escalation. No SMTP configuration means no email verification or admin approval is required. The route definition at `packages/worker/src/api/routes/global/users.ts:93-109` places the endpoint under builderOrAdminRoutes, while `invite` and `inviteMultiple` are correctly under adminRoutes. The controller at `packages/worker/src/api/controllers/global/users.ts:601-630` checks `isEmailConfigured()` – if false, it proceeds to create users with attacker-controlled roles. No downstream validation in `bulkCreate` or `buildUser` strips `admin` or `builder` fields.
Platform: Budibase
Version: Self-hosted (default config)
Vulnerability: Privilege escalation
Severity: Critical
date: 2023-11-15 (estimated disclosure)

Prediction: Patch within 14 days (e.g., 2023-11-29)

What Undercode Say:

Check if SMTP is configured (if false, vulnerable)
curl -s -X GET 'http://localhost:10000/api/global/settings' -b cookies.txt | jq '.smtp'
Simulate builder login
curl -c cookies.txt -X POST 'http://localhost:10000/api/global/auth/default/login' -H 'Content-Type: application/json' -d '{"username":"[email protected]","password":"builderpass"}'
Exploit to create admin
curl -X POST 'http://localhost:10000/api/global/users/onboard' -H 'Content-Type: application/json' -b cookies.txt -d '[{"email":"[email protected]","userInfo":{"admin":{"global":true}}}]'

How Exploit:

1. Obtain builder session via login.

  1. Send POST to `/api/global/users/onboard` with JSON array containing `email` and userInfo.admin.global=true.

3. Receive generated password in `successful[].password`.

  1. Login as new global admin using that email and password.

Protection from this CVE:

  • Move `/api/global/users/onboard` from `builderOrAdminRoutes` to `adminRoutes` in users.ts.
  • Add controller validation: reject if `invite.userInfo.admin` and !ctx.user.admin?.global.
  • Configure SMTP (forces admin-only invite flow).
  • Upgrade to patched version (commit that fixes route authorization).

Impact:

  • Builder → global admin escalation.
  • Full platform compromise (all apps, data sources, users, config).
  • Generated password exposed in HTTP response.
  • Stealthy creation – user appears legitimate.
  • Default self-hosted deployments are vulnerable.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top