CVE-2026-54350
Received Received - Intake
Unauthenticated Document Read/Write in Budibase

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write query, modifies every document of that collection with one HTTP request. enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars markers ({{, }}) in user input and does not escape JSON metacharacters (", \, }). A parameter value containing a closing quote and additional keys lifts attacker-controlled fields into the parsed filter object. For Mongo find, the parsed filter passes directly to collection.find() (packages/server/src/integrations/mongodb.ts:506-510). Duplicate-key JSON parsing overrides the builder's {name: "..."} with {name: {$exists: true}} and returns every document. The same primitive against an updateMany query (mongodb.ts:577-585) widens the filter scope to the full collection while the builder-controlled $set body runs against every matched document. The authorized middleware at packages/server/src/middleware/authorized.ts:141-148 short-circuits when the query's role is PUBLIC. CSRF is not enforced on this path. POST /api/v2/queries/:queryId (packages/server/src/api/routes/query.ts:63) accepts the call with no session, only an x-budibase-app-id header that is public from the published-app URL. This vulnerability is fixed in 3.39.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-54350
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase 3.39.12
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Budibase, an open-source low-code platform, prior to version 3.39.12. It allows an unauthenticated visitor of any published Budibase app to read every document in the underlying database collections such as MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body.

If the app builder has published a PUBLIC write query, the attacker can also modify every document in that collection with a single HTTP request. This happens because the system substitutes parameter values into raw JSON queries without properly escaping JSON metacharacters, allowing attacker-controlled fields to be injected into the query filter.

The vulnerability bypasses authorization checks when the query's role is PUBLIC and does not enforce CSRF protection on this path. The attack can widen the filter scope to the entire collection and apply updates to all matched documents.

Impact Analysis

This vulnerability can have severe impacts including unauthorized data disclosure and unauthorized data modification.

  • An attacker can read every document in the database collections backing the Budibase app without any authentication.
  • If a public write query is published, the attacker can modify every document in the collection, potentially corrupting or destroying data.
  • Because the attack requires no authentication and bypasses CSRF protections, it can be executed remotely and easily.

Overall, this can lead to data breaches, loss of data integrity, and disruption of application functionality.

Mitigation Strategies

The vulnerability is fixed in Budibase version 3.39.12. The immediate step to mitigate this vulnerability is to upgrade Budibase to version 3.39.12 or later.

Since the vulnerability allows unauthenticated public users to read and modify documents via public write queries, avoid publishing apps with public write queries until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart