Critical severity9.9NVD Advisory· Published May 27, 2026· Updated May 28, 2026
CVE-2026-46425
CVE-2026-46425
Description
Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context). There is no role check. Any authenticated user who reaches the worker (BASIC role, workspace-scoped builder, anyone) can call SCIM endpoints and CRUD every user and group in the tenant. This vulnerability is fixed in 3.38.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2News mentions
1- Budibase: 18 CVEs Disclosed in Single Batch — Critical Auth Bypass and SSRF Flaws PatchedVypr Intelligence · May 27, 2026