CVE-2026-25043

Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the “Forgot Password” endpoint. An unauthenticated attacker can repeatedly trigger password reset requests for the same email address, resulting in hundreds of password reset emails being sent in a short time window. This enables large-scale email flooding, user harassment, denial of service (DoS) against user inboxes, and potential financial and reputational impact for Budibase. This issue has been patched in version 3.23.25.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/Budibase/budibase/commit/21bc3f812b2312f082f7683c2abc22d1ecc880c7	Patch
https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh	Vendor Advisory
https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

History

21 Apr 2026, 01:35

Type	Values Removed	Values Added
CPE		cpe:2.3:a:budibase:budibase::::::::
First Time		Budibase Budibase budibase
References	~~() https://github.com/Budibase/budibase/commit/21bc3f812b2312f082f7683c2abc22d1ecc880c7 -~~	() https://github.com/Budibase/budibase/commit/21bc3f812b2312f082f7683c2abc22d1ecc880c7 - Patch
References	~~() https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh -~~	() https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh - Vendor Advisory

03 Apr 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-03 16:16

Updated : 2026-04-21 01:35

NVD link : CVE-2026-25043

Mitre link : CVE-2026-25043

CVE.ORG link : CVE-2026-25043

JSON object : View

Products Affected

budibase

budibase

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-25043", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-04-03T16:16:35.607", "references": [{"url": "https://github.com/Budibase/budibase/commit/21bc3f812b2312f082f7683c2abc22d1ecc880c7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh", "tags": ["Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase\u2019s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the \u201cForgot Password\u201d endpoint. An unauthenticated attacker can repeatedly trigger password reset requests for the same email address, resulting in hundreds of password reset emails being sent in a short time window. This enables large-scale email flooding, user harassment, denial of service (DoS) against user inboxes, and potential financial and reputational impact for Budibase. This issue has been patched in version 3.23.25."}], "lastModified": "2026-04-21T01:35:13.413", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "08D73E1B-557B-4CEA-9DA0-3A46C8B9B5F4", "versionEndExcluding": "3.23.25"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}