CVE-2026-54350
Modified Modified - Updated After Analysis

Unauthenticated Document Read/Write in Budibase

Vulnerability report for CVE-2026-54350, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write query, modifies every document of that collection with one HTTP request. enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars markers ({{, }}) in user input and does not escape JSON metacharacters (", \, }). A parameter value containing a closing quote and additional keys lifts attacker-controlled fields into the parsed filter object. For Mongo find, the parsed filter passes directly to collection.find() (packages/server/src/integrations/mongodb.ts:506-510). Duplicate-key JSON parsing overrides the builder's {name: "..."} with {name: {$exists: true}} and returns every document. The same primitive against an updateMany query (mongodb.ts:577-585) widens the filter scope to the full collection while the builder-controlled $set body runs against every matched document. The authorized middleware at packages/server/src/middleware/authorized.ts:141-148 short-circuits when the query's role is PUBLIC. CSRF is not enforced on this path. POST /api/v2/queries/:queryId (packages/server/src/api/routes/query.ts:63) accepts the call with no session, only an x-budibase-app-id header that is public from the published-app URL. This vulnerability is fixed in 3.39.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-30
Generated
2026-07-17
AI Q&A
2026-06-27
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.39.12 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Budibase, an open-source low-code platform, prior to version 3.39.12. It allows an unauthenticated visitor of any published Budibase app to read every document in the underlying database collections such as MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body.

If the app builder has published a PUBLIC write query, the attacker can also modify every document in that collection with a single HTTP request. This happens because the system substitutes parameter values into raw JSON queries without properly escaping JSON metacharacters, allowing attacker-controlled fields to be injected into the query filter.

The vulnerability bypasses authorization checks when the query's role is PUBLIC and does not enforce CSRF protection on this path. The attack can widen the filter scope to the entire collection and apply updates to all matched documents.

Detection Guidance

This vulnerability allows an unauthenticated visitor to read and modify every document in the backing database collections of a published Budibase app by sending specially crafted HTTP requests to the POST /api/v2/queries/:queryId endpoint with only the x-budibase-app-id header.

To detect this vulnerability on your system or network, you can monitor for unusual or unauthorized POST requests to the /api/v2/queries/:queryId endpoint that include the x-budibase-app-id header but lack authentication tokens or sessions.

Suggested commands to detect potential exploitation attempts include using network traffic inspection tools or web server logs to filter such requests. For example, using curl to test the endpoint:

  • curl -X POST https://your-budibase-app/api/v2/queries/<queryId> -H "x-budibase-app-id: <public-app-id>" -d '{"param":"value"}' -v

Additionally, you can search your web server logs for POST requests to /api/v2/queries/ with the x-budibase-app-id header but no authentication cookies or tokens.

  • grep 'POST /api/v2/queries/' /var/log/nginx/access.log | grep 'x-budibase-app-id' | grep -v 'session='

Because the vulnerability allows reading and modifying all documents without authentication, any such unauthenticated POST requests to this endpoint should be considered suspicious and investigated.

Impact Analysis

This vulnerability can have severe impacts including unauthorized data disclosure and unauthorized data modification.

  • An attacker can read every document in the database collections backing the Budibase app without any authentication.
  • If a public write query is published, the attacker can modify every document in the collection, potentially corrupting or destroying data.
  • Because the attack requires no authentication and bypasses CSRF protections, it can be executed remotely and easily.

Overall, this can lead to data breaches, loss of data integrity, and disruption of application functionality.

Compliance Impact

This vulnerability allows unauthenticated visitors to read and modify all documents in the backing databases of any published Budibase app that has a public write query. Such unauthorized access and modification of potentially sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on data confidentiality, integrity, and access.

Because the vulnerability enables full read and write access without authentication or authorization, it undermines the security controls necessary to protect personal and sensitive information, thereby risking non-compliance with standards that mandate data privacy and security.

Mitigation Strategies

The vulnerability is fixed in Budibase version 3.39.12. The immediate step to mitigate this vulnerability is to upgrade Budibase to version 3.39.12 or later.

Since the vulnerability allows unauthenticated public users to read and modify documents via public write queries, avoid publishing apps with public write queries until the upgrade is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart