CVE-2026-27702
Unsafe eval() in Budibase Cloud Enables Server-Side Code Execution
Publication date: 2026-02-25
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.30.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27702 is a critical Remote Code Execution (RCE) vulnerability in Budibase Cloud (SaaS) versions up to 3.30.3. It arises from unsafe use of JavaScript's eval() function in the view filtering implementation, specifically in the file packages/server/src/db/inMemoryView.ts. User-controlled view map functions are concatenated into a string and evaluated without sanitization, allowing any authenticated user, including free-tier accounts, to execute arbitrary JavaScript code on the server."}, {'type': 'paragraph', 'content': 'The vulnerability is specific to Budibase Cloud because it uses an in-memory PouchDB with eval-based view filtering, whereas self-hosted deployments use native CouchDB views and are not affected. Attackers can inject malicious JavaScript code by crafting filter values that break out of the intended string context.'}, {'type': 'paragraph', 'content': 'Exploitation involves an authenticated user creating a table view with a malicious filter via a POST request. When the view is queried, the malicious code executes on the server, achieving remote code execution.'}, {'type': 'paragraph', 'content': 'The app-service pod runs with environment variables containing sensitive secrets such as INTERNAL_API_KEY, JWT_SECRET, CouchDB admin credentials, and AWS keys. Using these credentials, attackers can access databases, enumerate tenant databases, read user data including email addresses, and write files.'}, {'type': 'paragraph', 'content': 'Additionally, the vulnerability enables potential cross-site scripting (XSS) attacks and session hijacking due to the budibase:auth cookie lacking the HttpOnly flag and the ability to upload arbitrary HTML files.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to execute arbitrary JavaScript code on the Budibase Cloud server, leading to remote code execution.
- Attackers can access sensitive environment variables containing secrets such as API keys, JWT secrets, CouchDB admin credentials, and AWS keys.
- Using stolen credentials, attackers can directly access and enumerate all tenant databases, exposing user data including email addresses.
- Attackers can write files to the server, demonstrated by uploading arbitrary HTML files.
- The vulnerability also enables cross-site scripting (XSS) attacks and session hijacking of other Budibase Cloud users due to insecure cookie settings and file upload capabilities.
Overall, this can lead to full compromise of the Budibase Cloud environment, data breaches, unauthorized data access, and potential account takeovers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/api/views` where authenticated users create table views with potentially malicious filter expressions. Specifically, look for filter values that include JavaScript code injection patterns such as breaking out of string contexts with payloads like `x" || (MALICIOUS_CODE_HERE, true) || "`.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting logs for unusual filter expressions or unexpected POST requests to `/api/views` from authenticated users, especially free-tier accounts.'}, {'type': 'paragraph', 'content': 'Since exploitation requires authentication, commands to check active authenticated sessions or cookies (such as the `budibase:auth` cookie) scoped to `.budibase.app` may help identify suspicious activity.'}, {'type': 'paragraph', 'content': 'No explicit detection commands are provided in the resources, but network monitoring tools or web application firewalls (WAFs) can be configured to alert on suspicious POST requests to `/api/views` containing suspicious JavaScript injection patterns in filter parameters.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Budibase Cloud to version 3.30.4 or later, which contains the patch addressing this vulnerability.
- Apply the patch that sanitizes filter expressions by escaping filter keys and values using JSON.stringify to prevent injection.
- Ensure that map/reduce functions are rebuilt from trusted metadata rather than executing stored map strings directly.
- Disable legacy v1 view endpoints on cloud deployments by setting the `SELF_HOSTED` environment variable appropriately to reduce attack surface.
- Validate filter conditions and conjunction tokens strictly, throwing errors on invalid tokens to prevent malformed or malicious filters.
Additionally, review and restrict access to authenticated user accounts, monitor for suspicious activity, and consider rotating sensitive environment secrets such as `INTERNAL_API_KEY`, `JWT_SECRET`, and database credentials if compromise is suspected.