Skip to content

Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour

Moderate severity GitHub Reviewed Published May 14, 2026 in Budibase/budibase

Package

npm @budibase/backend-core (npm)

Affected versions

< 3.38.2

Patched versions

3.38.2

Description

Summary

The public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache (TTL: 3600 seconds), a user whose admin, builder, or app-level roles have been revoked via the public API retains those privileges for up to 1 hour.

Details

The root cause is an inconsistency between the UserDB.save() and UserDB.bulkUpdate() code paths.

Vulnerable pathpackages/pro/src/sdk/publicApi/roles.ts:49-75:

export async function unAssign(userIds: string[], opts: AssignmentOpts) {
  // ... modifies user objects: deletes roles, admin, builder ...
  await userDB.bulkUpdate(users)  // line 74
}

bulkUpdate delegates to bulkUpdateGlobalUsers() at packages/backend-core/src/users/users.ts:82-85:

export async function bulkUpdateGlobalUsers(users: User[]) {
  const db = getGlobalDB()
  return (await db.bulkDocs(users)) as BulkDocsResponse
}

This writes directly to CouchDB with no cache invalidation.

Correct pathpackages/backend-core/src/users/db.ts:355 (used by admin UI):

await cache.user.invalidateUser(response.id)

Cache configurationpackages/backend-core/src/cache/user.ts:11:

const EXPIRY_SECONDS = 3600  // 1 hour TTL

Authentication middlewarepackages/backend-core/src/middleware/authenticated.ts:153-160:

user = await getUser({
  userId,
  tenantId: session.tenantId,
  email: session.email,
})

getUser() reads from Redis cache first; it only falls back to CouchDB on cache miss. After unAssign updates CouchDB without invalidating Redis, every authenticated request continues to use the stale cached user object with the old (revoked) privileges.

Notably, other bulk operations in the codebase handle this correctly — groups.addUsers() and groups.removeUsers() in packages/pro/src/sdk/groups/groups.ts both loop through affected users and call cache.user.invalidateUser() after bulkUpdateGlobalUsers(). The public API roles path was missed.

PoC

# Prerequisites: Enterprise license, admin API key, a second user with admin role

# Step 1: Confirm user has admin access
curl -s -X GET http://localhost:10000/api/global/roles \
  -H 'Cookie: budibase:auth=<target-user-session>' \
  -H 'x-budibase-app-id: app_xyz'
# Returns 200 with roles list

# Step 2: Revoke admin role via public API
curl -s -X POST http://localhost:10000/api/public/v1/roles/unassign \
  -H 'x-budibase-api-key: <admin-api-key>' \
  -H 'Content-Type: application/json' \
  -d '{"userIds": ["<target-user-id>"], "admin": true}'
# Returns 200 — role removed from CouchDB

# Step 3: Verify DB was updated (admin field removed)
# (check CouchDB directly - user document no longer has admin: {global: true})

# Step 4: Immediately retry admin endpoint as revoked user
curl -s -X GET http://localhost:10000/api/global/roles \
  -H 'Cookie: budibase:auth=<target-user-session>' \
  -H 'x-budibase-app-id: app_xyz'
# STILL returns 200 — stale cache serves old admin privileges

# Step 5: Wait for cache expiry (up to 3600 seconds) and retry
# After cache expires, the request correctly returns 403

Impact

A user whose admin, builder, or app-level roles have been revoked via the public API retains full access to those privileges for up to 1 hour. This is particularly concerning in automated offboarding scenarios where HR/IT systems use the public API to revoke access for terminated employees — the terminated user retains admin/builder access to all applications and data during the cache window.

The impact is bounded by:

  • Requires enterprise license (expanded public API feature)
  • Maximum 1-hour window before cache expires
  • Only affects the public API revocation path; revocations via the admin UI (UserDB.save()) invalidate cache correctly
  • The assign direction has the inverse issue (newly granted roles are delayed) but this is less security-critical

Recommended Fix

Add cache invalidation to bulkUpdateGlobalUsers or to the callers that need it. The most targeted fix is in the unAssign function:

// packages/pro/src/sdk/publicApi/roles.ts
import { cache } from "@budibase/backend-core"

export async function unAssign(userIds: string[], opts: AssignmentOpts) {
  // ... existing role removal logic ...
  await userDB.bulkUpdate(users)
  
  // Invalidate cache for all affected users
  await Promise.all(
    users.map(user => cache.user.invalidateUser(user._id!))
  )
}

Alternatively, fix it at the bulkUpdate level to prevent future callers from having the same gap:

// packages/backend-core/src/users/db.ts
static async bulkUpdate(users: User[]) {
  const result = await usersCore.bulkUpdateGlobalUsers(users)
  await Promise.all(
    users.map(user => cache.user.invalidateUser(user._id!))
  )
  return result
}

The same fix should also be applied to the assign function in the same file.

References

@mjashanks mjashanks published to Budibase/budibase May 14, 2026
Published to the GitHub Advisory Database May 19, 2026
Reviewed May 19, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS score

Weaknesses

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Learn more on MITRE.

CVE ID

CVE-2026-46424

GHSA ID

GHSA-6vp2-6r7m-2jvx

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.