VYPR
← All advisories
Medium severity4.2GHSA Advisory· Published May 19, 2026

Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour

CVE-2026-46424

Description

Summary

The public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache (TTL: 3600 seconds), a user whose admin, builder, or app-level roles have been revoked via the public API retains those privileges for up to 1 hour.

Details

The root cause is an inconsistency between the UserDB.save() and UserDB.bulkUpdate() code paths.

Vulnerable pathpackages/pro/src/sdk/publicApi/roles.ts:49-75: ``typescript export async function unAssign(userIds: string[], opts: AssignmentOpts) { // ... modifies user objects: deletes roles, admin, builder ... await userDB.bulkUpdate(users) // line 74 } ``

bulkUpdate delegates to bulkUpdateGlobalUsers() at packages/backend-core/src/users/users.ts:82-85: ``typescript export async function bulkUpdateGlobalUsers(users: User[]) { const db = getGlobalDB() return (await db.bulkDocs(users)) as BulkDocsResponse } ``

This writes directly to CouchDB with no cache invalidation.

Correct pathpackages/backend-core/src/users/db.ts:355 (used by admin UI): ``typescript await cache.user.invalidateUser(response.id) ``

Cache configurationpackages/backend-core/src/cache/user.ts:11: ``typescript const EXPIRY_SECONDS = 3600 // 1 hour TTL ``

Authentication middlewarepackages/backend-core/src/middleware/authenticated.ts:153-160: ``typescript user = await getUser({ userId, tenantId: session.tenantId, email: session.email, }) ``

getUser() reads from Redis cache first; it only falls back to CouchDB on cache miss. After unAssign updates CouchDB without invalidating Redis, every authenticated request continues to use the stale cached user object with the old (revoked) privileges.

Notably, other bulk operations in the codebase handle this correctly — groups.addUsers() and groups.removeUsers() in packages/pro/src/sdk/groups/groups.ts both loop through affected users and call cache.user.invalidateUser() after bulkUpdateGlobalUsers(). The public API roles path was missed.

PoC

# Prerequisites: Enterprise license, admin API key, a second user with admin role

# Step 1: Confirm user has admin access
curl -s -X GET http://localhost:10000/api/global/roles \
  -H 'Cookie: budibase:auth=' \
  -H 'x-budibase-app-id: app_xyz'
# Returns 200 with roles list

# Step 2: Revoke admin role via public API
curl -s -X POST http://localhost:10000/api/public/v1/roles/unassign \
  -H 'x-budibase-api-key: ' \
  -H 'Content-Type: application/json' \
  -d '{"userIds": [""], "admin": true}'
# Returns 200 — role removed from CouchDB

# Step 3: Verify DB was updated (admin field removed)
# (check CouchDB directly - user document no longer has admin: {global: true})

# Step 4: Immediately retry admin endpoint as revoked user
curl -s -X GET http://localhost:10000/api/global/roles \
  -H 'Cookie: budibase:auth=' \
  -H 'x-budibase-app-id: app_xyz'
# STILL returns 200 — stale cache serves old admin privileges

# Step 5: Wait for cache expiry (up to 3600 seconds) and retry
# After cache expires, the request correctly returns 403

Impact

A user whose admin, builder, or app-level roles have been revoked via the public API retains full access to those privileges for up to 1 hour. This is particularly concerning in automated offboarding scenarios where HR/IT systems use the public API to revoke access for terminated employees — the terminated user retains admin/builder access to all applications and data during the cache window.

The impact is bounded by: - Requires enterprise license (expanded public API feature) - Maximum 1-hour window before cache expires - Only affects the public API revocation path; revocations via the admin UI (UserDB.save()) invalidate cache correctly - The assign direction has the inverse issue (newly granted roles are delayed) but this is less security-critical

Recommended

Fix

Add cache invalidation to bulkUpdateGlobalUsers or to the callers that need it. The most targeted fix is in the unAssign function:

// packages/pro/src/sdk/publicApi/roles.ts
import { cache } from "@budibase/backend-core"

export async function unAssign(userIds: string[], opts: AssignmentOpts) {
  // ... existing role removal logic ...
  await userDB.bulkUpdate(users)
  
  // Invalidate cache for all affected users
  await Promise.all(
    users.map(user => cache.user.invalidateUser(user._id!))
  )
}

Alternatively, fix it at the bulkUpdate level to prevent future callers from having the same gap:

// packages/backend-core/src/users/db.ts
static async bulkUpdate(users: User[]) {
  const result = await usersCore.bulkUpdateGlobalUsers(users)
  await Promise.all(
    users.map(user => cache.user.invalidateUser(user._id!))
  )
  return result
}

The same fix should also be applied to the assign function in the same file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The public API role unassignment endpoint does not invalidate the Redis user cache, allowing revoked users to retain privileges for up to 1 hour.

Vulnerability

The public API role unassignment endpoint (POST /api/public/v1/roles/unassign) in Budibase versions prior to 3.38.2 updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. The vulnerable code path is in packages/pro/src/sdk/publicApi/roles.ts:49-75, which calls userDB.bulkUpdate() — this writes directly to CouchDB with no cache invalidation [1][2]. In contrast, the correct code path used by the admin UI calls cache.user.invalidateUser(). The Redis cache has a TTL of 3600 seconds (1 hour) [1][2].

Exploitation

An attacker who can make authenticated requests to the public API, specifically a user with sufficient privileges to call the unAssign endpoint (typically an admin), can revoke roles from other users. After the revocation, the affected users' cached permissions remain unchanged for up to 1 hour. No additional user interaction is required beyond the initial revocation [1][2].

Impact

A user whose admin, builder, or app-level roles have been revoked via the public API retains those privileges for up to 1 hour. During this window, the user can continue to access resources and perform actions that should no longer be permitted, leading to unauthorized access and potential privilege escalation. The stale cache means the authentication middleware reads the old (revoked) roles from Redis instead of the updated CouchDB document [1][2].

Mitigation

The issue is fixed in Budibase release 3.38.2 [4]. The fix includes invalidating the user cache after bulk role updates [4]. There is no workaround if upgrading is not possible; the vulnerability is fully addressed by applying the patch. Users should upgrade to version 3.38.2 or later. The CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. CVE-2026-46424 - GitHub Advisory Database
  2. Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
  3. Release 3.38.2 · Budibase/budibase

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
7c8660c739fb

Merge pull request #18762 from Budibase/codex/fix-user-bulk-update-cache

https://github.com/Budibase/budibasePeter ClementMay 12, 2026Fixed in 3.38.2via llm-release-walk
commit
3 files changed · +47 1
  • packages/backend-core/src/cache/user.ts+16 0 modified
    @@ -148,7 +148,23 @@ export async function getUsers(
   return { users, notFoundIds: notFoundIds }
 }
 
+/**
+ * Invalidate a user from the cache.
+ * @param userId the id of the user to invalidate
+ */
 export async function invalidateUser(userId: string) {
   const client = await redis.getUserClient()
   await client.delete(userId)
 }
+
+/**
+ * Invalidate a list of users from the cache.
+ * @param userIds the ids of the users to invalidate
+ */
+export async function invalidateUsers(userIds: string[]) {
+  if (userIds.length === 0) {
+    return
+  }
+  const client = await redis.getUserClient()
+  await client.bulkDelete(userIds)
+}
  • packages/backend-core/src/users/db.ts+3 1 modified
    @@ -227,7 +227,9 @@ export class UserDB {
   }
 
   static async bulkUpdate(users: User[]) {
-    return await usersCore.bulkUpdateGlobalUsers(users)
+    const response = await usersCore.bulkUpdateGlobalUsers(users)
+    await cache.user.invalidateUsers(users.map(user => user._id!))
+    return response
   }
 
   static async save(user: User, opts: SaveUserOpts = {}): Promise<User> {
  • packages/backend-core/src/users/test/db.spec.ts+28 0 modified
    @@ -1,6 +1,7 @@
 import { BulkUserCreated, User, UserGroup, UserStatus } from "@budibase/types"
 import { DBTestConfiguration, generator, structures } from "../../../tests"
 import * as accounts from "../../accounts"
+import * as cache from "../../cache"
 import { getGlobalDB } from "../../context"
 import { withEnv } from "../../environment"
 import { UserDB } from "../db"
@@ -42,6 +43,33 @@ describe("UserDB", () => {
     groups.getDefaultGroup.mockResolvedValue(undefined)
   })
 
+  describe("bulkUpdate", () => {
+    it("invalidates cached user data for updated users", async () => {
+      await config.doInTenant(async () => {
+        const user = await db.save(
+          structures.users.user({
+            email: generator.email({}),
+            firstName: "Original",
+            tenantId: config.getTenantId(),
+          })
+        )
+
+        await cache.user.getUser({
+          userId: user._id!,
+          tenantId: config.getTenantId(),
+        })
+
+        await db.bulkUpdate([{ ...user, firstName: "Updated" }])
+
+        const refreshedUser = await cache.user.getUser({
+          userId: user._id!,
+          tenantId: config.getTenantId(),
+        })
+        expect(refreshedUser.firstName).toBe("Updated")
+      })
+    })
+  })
+
   describe("save", () => {
     describe("create", () => {
       it("creating a new user will persist it", async () => {
b82475752cb7

Invalidate user cache on bulk update

https://github.com/Budibase/budibasePeter ClementMay 11, 2026Fixed in 3.38.2via llm-release-walk
commit
2 files changed · +31 1
  • packages/backend-core/src/users/db.ts+3 1 modified
    @@ -227,7 +227,9 @@ export class UserDB {
   }
 
   static async bulkUpdate(users: User[]) {
-    return await usersCore.bulkUpdateGlobalUsers(users)
+    const response = await usersCore.bulkUpdateGlobalUsers(users)
+    await Promise.all(users.map(user => cache.user.invalidateUser(user._id!)))
+    return response
   }
 
   static async save(user: User, opts: SaveUserOpts = {}): Promise<User> {
  • packages/backend-core/src/users/test/db.spec.ts+28 0 modified
    @@ -1,6 +1,7 @@
 import { BulkUserCreated, User, UserGroup, UserStatus } from "@budibase/types"
 import { DBTestConfiguration, generator, structures } from "../../../tests"
 import * as accounts from "../../accounts"
+import * as cache from "../../cache"
 import { getGlobalDB } from "../../context"
 import { withEnv } from "../../environment"
 import { UserDB } from "../db"
@@ -42,6 +43,33 @@ describe("UserDB", () => {
     groups.getDefaultGroup.mockResolvedValue(undefined)
   })
 
+  describe("bulkUpdate", () => {
+    it("invalidates cached user data for updated users", async () => {
+      await config.doInTenant(async () => {
+        const user = await db.save(
+          structures.users.user({
+            email: generator.email({}),
+            firstName: "Original",
+            tenantId: config.getTenantId(),
+          })
+        )
+
+        await cache.user.getUser({
+          userId: user._id!,
+          tenantId: config.getTenantId(),
+        })
+
+        await db.bulkUpdate([{ ...user, firstName: "Updated" }])
+
+        const refreshedUser = await cache.user.getUser({
+          userId: user._id!,
+          tenantId: config.getTenantId(),
+        })
+        expect(refreshedUser.firstName).toBe("Updated")
+      })
+    })
+  })
+
   describe("save", () => {
     describe("create", () => {
       it("creating a new user will persist it", async () => {

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

3

News mentions

0

No linked articles in our index yet.