{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25043", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-28T14:50:47.886Z", "datePublished": "2026-04-03T15:35:10.840Z", "dateUpdated": "2026-04-03T16:11:18.857Z"}, "containers": {"cna": {"title": "Budibase: Unauthenticated Password Reset Endpoint Lacks Rate Limiting, Enabling Email Flooding", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh"}, {"name": "https://github.com/Budibase/budibase/commit/21bc3f812b2312f082f7683c2abc22d1ecc880c7", "tags": ["x_refsource_MISC"], "url": "https://github.com/Budibase/budibase/commit/21bc3f812b2312f082f7683c2abc22d1ecc880c7"}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"version": "< 3.23.25", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:35:10.840Z"}, "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase\u2019s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the \u201cForgot Password\u201d endpoint. An unauthenticated attacker can repeatedly trigger password reset requests for the same email address, resulting in hundreds of password reset emails being sent in a short time window. This enables large-scale email flooding, user harassment, denial of service (DoS) against user inboxes, and potential financial and reputational impact for Budibase. This issue has been patched in version 3.23.25."}], "source": {"advisory": "GHSA-277c-prw2-rqgh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:05:27.831255Z", "id": "CVE-2026-25043", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:11:18.857Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25043", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:05:27.831255Z"}}}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:09:07.643Z"}}], "cna": {"title": "Budibase: Unauthenticated Password Reset Endpoint Lacks Rate Limiting, Enabling Email Flooding", "source": {"advisory": "GHSA-277c-prw2-rqgh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Budibase", "product": "budibase", "versions": [{"status": "affected", "version": "< 3.23.25"}]}], "references": [{"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh", "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Budibase/budibase/commit/21bc3f812b2312f082f7683c2abc22d1ecc880c7", "name": "https://github.com/Budibase/budibase/commit/21bc3f812b2312f082f7683c2abc22d1ecc880c7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase\u2019s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the \u201cForgot Password\u201d endpoint. An unauthenticated attacker can repeatedly trigger password reset requests for the same email address, resulting in hundreds of password reset emails being sent in a short time window. This enables large-scale email flooding, user harassment, denial of service (DoS) against user inboxes, and potential financial and reputational impact for Budibase. This issue has been patched in version 3.23.25."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:35:10.840Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25043", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:11:18.857Z", "dateReserved": "2026-01-28T14:50:47.886Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T15:35:10.840Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase\u2019s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the \u201cForgot Password\u201d endpoint. An unauthenticated attacker can repeatedly trigger password reset requests for the same email address, resulting in hundreds of password reset emails being sent in a short time window. This enables large-scale email flooding, user harassment, denial of service (DoS) against user inboxes, and potential financial and reputational impact for Budibase. This issue has been patched in version 3.23.25."}], "id": "CVE-2026-25043", "lastModified": "2026-04-03T16:16:35.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T16:16:35.607", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Budibase/budibase/commit/21bc3f812b2312f082f7683c2abc22d1ecc880c7"}, {"source": "security-advisories@github.com", "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-277c-prw2-rqgh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.23.25)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "budibase", "source": "cna", "vendor": "Budibase"}, "product": "budibase", "vendor": "budibase"}], "analysis": {"en": {"generated_at": "2026-04-03T19:05:38.333953+00:00", "value": {"mitigation_remediation": ["Upgrade Budibase to version 3.23.25 or later, which includes rate limiting for the password reset endpoint.", "If an upgrade cannot be performed immediately, implement temporary controls such as an IP\u2011based request cap or a CAPTCHA on the Forgot Password page to reduce abuse."], "summary": {"action": "Immediate Patch", "impact": "Password reset email flooding and denial of service to user inboxes"}, "threat_synthesis": {"affected_systems": "All users running Budibase before the 3.23.25 release are affected, regardless of deployment environment. The weakness resides in the open\u2011source low\u2011code platform\u2019s API layer, making every publicly reachable instance vulnerable if it has the unpatched reset endpoint available. No specific platform segment is exempt; the exploit can be attempted by anyone with internet access.", "description_and_impact": "Budibase\u2019s Forgot Password endpoint lacks any form of request throttling or abuse prevention. As a result, an unauthenticated attacker can repeatedly submit reset requests for the same e\u2011mail address, causing the system to send an excessive number of password\u2011reset emails. The volume of messages can overwhelm user inboxes, trigger spam filters, and create a denial\u2011of\u2011service against the affected user\u2019s mail account. This constitutes a business\u2011logic weakness that can lead to user harassment and reputational damage for the platform provider.", "risk_and_exploitability": "The CVSS base score of 5.3 places the issue in the medium\u2011severity range, reflecting moderate impact on availability. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. Nevertheless, the absence of authentication requirements and the lack of rate\u2011limiting make the attack trivial once the target is known. A potential attacker can issue repeated requests in a loop, causing rapid email flooding without needing any further prerequisites."}}}}, "created": "2026-04-03T21:13:03.942479+00:00", "updated": "2026-04-03T21:15:16.359684+00:00", "vendors": ["budibase", "budibase$PRODUCT$budibase"]}