CVE Catalog

CVE-2026-54350

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.54%

41th percentile — higher than 41% of all known CVEs

Summary

Budibase before version 3.39.12 contains a vulnerability that allows an unauthenticated user to read all documents from MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collections, and if a public write query exists, to modify all documents in a single HTTP request. The issue stems from improper input validation in the validateQueryInputs function, which only rejects Handlebars markers but does not escape JSON metacharacters, enabling injection of additional fields into the filter object.

Risk Assessment

The organization faces complete loss of confidentiality and integrity of data stored in supported databases. An attacker can read all records without authentication and, if a published query has the PUBLIC role, modify or delete all documents in the collection.

Recommendation

Immediately upgrade Budibase to version 3.39.12 or later. Additionally, for published apps, ensure no queries have the PUBLIC role assigned unless absolutely necessary and protected by other mechanisms.

Original NVD description (English source)

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write query, modifies every document of that collection with one HTTP request. enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars markers ({{, }}) in user input and does not escape JSON metacharacters (", \, }). A parameter value containing a closing quote and additional keys lifts attacker-controlled fields into the parsed filter object. For Mongo find, the parsed filter passes directly to collection.find() (packages/server/src/integrations/mongodb.ts:506-510). Duplicate-key JSON parsing overrides the builder's {name: "..."} with {name: {$exists: true}} and returns every document. The same primitive against an updateMany query (mongodb.ts:577-585) widens the filter scope to the full collection while the builder-controlled $set body runs against every matched document. The authorized middleware at packages/server/src/middleware/authorized.ts:141-148 short-circuits when the query's role is PUBLIC. CSRF is not enforced on this path. POST /api/v2/queries/:queryId (packages/server/src/api/routes/query.ts:63) accepts the call with no session, only an x-budibase-app-id header that is public from the published-app URL. This vulnerability is fixed in 3.39.12.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS