CVE-2026-45719 Overview
CVE-2026-45719 is a code injection vulnerability [CWE-94] in Budibase, an open-source low-code platform. Versions prior to 3.38.1 fail to validate the calculation parameter in the V1 Views API endpoint (POST /api/views). The value is interpolated directly into a CouchDB reduce function definition, allowing authenticated users with Builder permissions to inject arbitrary JavaScript. The injected code executes within the CouchDB JavaScript engine when the view is queried. Budibase patched the issue in release 3.38.1.
Critical Impact
Builder-level users can execute arbitrary JavaScript inside the CouchDB engine, leading to confidentiality and integrity compromise of database content.
Affected Products
- Budibase versions prior to 3.38.1
- Budibase V1 Views API (POST /api/views)
- Self-hosted Budibase deployments using vulnerable releases
Discovery Timeline
- 2026-05-27 - CVE-2026-45719 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45719
Vulnerability Analysis
The Budibase V1 Views API accepts a calculation parameter from the request body. The application defines an internal SCHEMA_MAP object listing valid calculation types: sum, count, and stats. However, the server never validates the user-supplied value against SCHEMA_MAP before passing it into string interpolation that constructs the CouchDB reduce function. This produces a classic code injection sink where attacker-controlled input becomes part of executable source code.
When the constructed view is queried, CouchDB compiles and executes the reduce function in its embedded JavaScript engine. Any attacker payload concatenated into the function body executes server-side under the database engine's context. The resulting access enables reading, modifying, or exfiltrating data accessible to the CouchDB process.
Exploitation requires Builder permissions in Budibase, which limits the unauthenticated attack surface. The vulnerability still represents a privilege boundary violation because Builder users are not expected to execute arbitrary code on the database backend.
Root Cause
The root cause is missing input validation before string interpolation. Although SCHEMA_MAP enumerates the permitted calculation types, the code path does not enforce membership checks against this map. The unchecked value is concatenated into a function definition, satisfying the definition of [CWE-94: Improper Control of Generation of Code].
Attack Vector
An authenticated user with Builder permissions submits a crafted POST request to /api/views. The calculation field carries a JavaScript payload that closes out the legitimate reduce function syntax and appends attacker-controlled statements. When any client queries the resulting view, CouchDB evaluates the malicious reduce function, executing the injected code.
The vulnerability is described in prose only because no verified proof-of-concept code is included in the vendor advisory. See the GitHub Security Advisory GHSA-363w-hvwh-w7m6 for additional technical context.
Detection Methods for CVE-2026-45719
Indicators of Compromise
- Unexpected POST /api/views requests containing calculation values outside sum, count, or stats.
- CouchDB reduce function definitions stored in design documents that contain JavaScript syntax beyond the expected templates.
- Anomalous outbound network connections or file system activity originating from the CouchDB process after view queries.
Detection Strategies
- Inspect Budibase application logs for V1 Views API requests where the calculation field does not match the allowed enumeration.
- Audit existing CouchDB design documents in Budibase application databases for reduce functions with suspicious code patterns.
- Correlate Builder account activity with view creation events to identify users probing the endpoint.
Monitoring Recommendations
- Enable verbose request logging on the Budibase API tier and forward logs to a central SIEM for retention and analysis.
- Monitor CouchDB process behavior for unexpected child processes, network egress, or filesystem writes following view queries.
- Alert on creation or modification of design documents by non-administrative Builder accounts.
How to Mitigate CVE-2026-45719
Immediate Actions Required
- Upgrade all Budibase instances to version 3.38.1 or later without delay.
- Review the Builder role membership and revoke access for accounts that do not require it.
- Audit existing views and design documents for injected reduce functions and remove any unauthorized entries.
Patch Information
Budibase fixed the vulnerability in release 3.38.1 by enforcing validation of the calculation parameter against the internal SCHEMA_MAP. Refer to the Budibase Release 3.38.1 notes and the GitHub Security Advisory GHSA-363w-hvwh-w7m6 for the official fix details.
Workarounds
- Restrict Builder permissions to a minimum set of trusted administrators until patching is complete.
- Place the Budibase API behind a web application firewall and block POST /api/views requests carrying non-allowlisted calculation values.
- Isolate the CouchDB backend at the network layer to limit the impact of code executed within the database engine.
# Example WAF rule logic - block non-allowlisted calculation values
# (pseudocode, adapt to your WAF syntax)
if request.method == "POST" and request.path == "/api/views":
calc = json_field(request.body, "calculation")
if calc not in ["sum", "count", "stats"]:
block()
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
