CVE-2026-27702
Received Received - Intake
Unsafe eval() in Budibase Cloud Enables Server-Side Code Execution

Publication date: 2026-02-25

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27702
EUVD
EUVD-2026-8646
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.30.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27702 is a critical Remote Code Execution (RCE) vulnerability in Budibase Cloud (SaaS) versions up to 3.30.3. It arises from unsafe use of JavaScript's eval() function in the view filtering implementation, specifically in the file packages/server/src/db/inMemoryView.ts. User-controlled view map functions are concatenated into a string and evaluated without sanitization, allowing any authenticated user, including free-tier accounts, to execute arbitrary JavaScript code on the server."}, {'type': 'paragraph', 'content': 'The vulnerability is specific to Budibase Cloud because it uses an in-memory PouchDB with eval-based view filtering, whereas self-hosted deployments use native CouchDB views and are not affected. Attackers can inject malicious JavaScript code by crafting filter values that break out of the intended string context.'}, {'type': 'paragraph', 'content': 'Exploitation involves an authenticated user creating a table view with a malicious filter via a POST request. When the view is queried, the malicious code executes on the server, achieving remote code execution.'}, {'type': 'paragraph', 'content': 'The app-service pod runs with environment variables containing sensitive secrets such as INTERNAL_API_KEY, JWT_SECRET, CouchDB admin credentials, and AWS keys. Using these credentials, attackers can access databases, enumerate tenant databases, read user data including email addresses, and write files.'}, {'type': 'paragraph', 'content': 'Additionally, the vulnerability enables potential cross-site scripting (XSS) attacks and session hijacking due to the budibase:auth cookie lacking the HttpOnly flag and the ability to upload arbitrary HTML files.'}] [1]

Impact Analysis

This vulnerability allows any authenticated user to execute arbitrary JavaScript code on the Budibase Cloud server, leading to remote code execution.

  • Attackers can access sensitive environment variables containing secrets such as API keys, JWT secrets, CouchDB admin credentials, and AWS keys.
  • Using stolen credentials, attackers can directly access and enumerate all tenant databases, exposing user data including email addresses.
  • Attackers can write files to the server, demonstrated by uploading arbitrary HTML files.
  • The vulnerability also enables cross-site scripting (XSS) attacks and session hijacking of other Budibase Cloud users due to insecure cookie settings and file upload capabilities.

Overall, this can lead to full compromise of the Budibase Cloud environment, data breaches, unauthorized data access, and potential account takeovers.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/api/views` where authenticated users create table views with potentially malicious filter expressions. Specifically, look for filter values that include JavaScript code injection patterns such as breaking out of string contexts with payloads like `x" || (MALICIOUS_CODE_HERE, true) || "`.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting logs for unusual filter expressions or unexpected POST requests to `/api/views` from authenticated users, especially free-tier accounts.'}, {'type': 'paragraph', 'content': 'Since exploitation requires authentication, commands to check active authenticated sessions or cookies (such as the `budibase:auth` cookie) scoped to `.budibase.app` may help identify suspicious activity.'}, {'type': 'paragraph', 'content': 'No explicit detection commands are provided in the resources, but network monitoring tools or web application firewalls (WAFs) can be configured to alert on suspicious POST requests to `/api/views` containing suspicious JavaScript injection patterns in filter parameters.'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade Budibase Cloud to version 3.30.4 or later, which contains the patch addressing this vulnerability.

  • Apply the patch that sanitizes filter expressions by escaping filter keys and values using JSON.stringify to prevent injection.
  • Ensure that map/reduce functions are rebuilt from trusted metadata rather than executing stored map strings directly.
  • Disable legacy v1 view endpoints on cloud deployments by setting the `SELF_HOSTED` environment variable appropriately to reduce attack surface.
  • Validate filter conditions and conjunction tokens strictly, throwing errors on invalid tokens to prevent malformed or malicious filters.

Additionally, review and restrict access to authenticated user accounts, monitor for suspicious activity, and consider rotating sensitive environment secrets such as `INTERNAL_API_KEY`, `JWT_SECRET`, and database credentials if compromise is suspected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27702. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart