VYPR
Critical severity9.9NVD Advisory· Published May 27, 2026· Updated May 28, 2026

CVE-2026-46425

CVE-2026-46425

Description

Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context). There is no role check. Any authenticated user who reaches the worker (BASIC role, workspace-scoped builder, anyone) can call SCIM endpoints and CRUD every user and group in the tenant. This vulnerability is fixed in 3.38.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Budibase/Budibasereferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <3.38.2

Patches

Vulnerability mechanics

References

2

News mentions

1