CVE-2026-54350
published 2026-06-26CVE-2026-54350: Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.43%
34.2th percentile
Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write query, modifies every document of that collection with one HTTP request. enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars markers ({{, }}) in user input and does not escape JSON metacharacters (", \, }). A parameter value containing a closing quote and additional keys lifts attacker-controlled fields into the parsed filter object. For Mongo find, the parsed filter passes directly to collection.find() (packages/server/src/integrations/mongodb.ts:506-510). Duplicate-key JSON parsing overrides the builder's {name: "..."} with {name: {$exists: true}} and returns every document. The same primitive against an updateMany query (mongodb.ts:577-585) widens the filter scope to the full collection while the builder-controlled $set body runs against every matched document. The authorized middleware at packages/server/src/middleware/authorized.ts:141-148 short-circuits when the query's role is PUBLIC. CSRF is not enforced on this path. POST /api/v2/queries/:queryId (packages/server/src/api/routes/query.ts:63) accepts the call with no session, only an x-budibase-app-id header that is public from the published-app URL. This vulnerability is fixed in 3.39.12.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| budibase | budibase | < 3.39.12 | 3.39.12 |
| budibase | server | >= 0 < 3.39.12 | 3.39.12 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
budibase up to 3.39.11 JSON Parser queries.ts collection.find sql injection (GHSA-8qv3-p479-cj62 / EUVD-2026-39914)
vuldb·2026-06-27·CVSS 10.0
CVE-2026-54350 [CRITICAL] budibase up to 3.39.11 JSON Parser queries.ts collection.find sql injection (GHSA-8qv3-p479-cj62 / EUVD-2026-39914)
A vulnerability was found in budibase up to 3.39.11. It has been declared as critical. Affected is the function collection.find of the file packages/server/src/sdk/workspace/queries/queries.ts of the component JSON Parser. Such manipulation leads to sql injection.
This vulnerability is referenced as CVE-2026-54350. It is possible to launch the attack remotely. No exploit is available.
It is recommended to upgrade the affected component.
GHSA
Budibase has nonymous NoSQL operator injection via published-app query templates
ghsa·2026-06-23
CVE-2026-54350 [CRITICAL] CWE-89 Budibase has nonymous NoSQL operator injection via published-app query templates
Budibase has nonymous NoSQL operator injection via published-app query templates
## Summary
`enrichContext` at `packages/server/src/sdk/workspace/queries/queries.ts:121-138` substitutes parameter values into the raw JSON body of a query, then `JSON.parse`s the result. The validator `validateQueryInputs` at `packages/server/src/api/controllers/query/index.ts:61-71` rejects only Handlebars markers (`{{`, `}}`) in user input and does not escape JSON metacharacters (`"`, `\`, `}`). A parameter value containing a closing quote and additional keys lifts attacker-controlled fields into the parsed filter object.
For Mongo `find`, the parsed filter passes directly to `collection.find()` (`packages/server/src/integrations/mongodb.ts:506-510`). Duplicate-key JSON parsing overrides the builder's `{
No detection rules found.
No public exploits indexed.
2026-06-26
Published