Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54350

CVE-2026-54350: Budibase Auth Bypass Vulnerability

CVE-2026-54350 is an authentication bypass vulnerability in Budibase that allows unauthenticated attackers to read and modify database documents. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-54350 Overview

CVE-2026-54350 is a critical NoSQL injection vulnerability in Budibase, an open-source low-code platform. The flaw allows an unauthenticated visitor of any published Budibase app to read every document in the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection. Where a builder has published a PUBLIC write query, the same primitive modifies every document in that collection with a single HTTP request. The vulnerability affects all versions prior to 3.39.12 and is tracked under [CWE-89].

Critical Impact

Unauthenticated attackers can exfiltrate or overwrite entire backend collections through a single crafted request to POST /api/v2/queries/:queryId.

Affected Products

  • Budibase versions prior to 3.39.12
  • Deployments backed by MongoDB, CouchDB, Elasticsearch, or DynamoDB-PartiQL
  • REST integrations that send JSON request bodies

Discovery Timeline

  • 2026-06-26 - CVE-2026-54350 published to NVD
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-54350

Vulnerability Analysis

The vulnerability stems from unsafe parameter interpolation into raw JSON query bodies. The enrichContext function at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values directly into the JSON body string, then calls JSON.parse on the resulting string. The input validator validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars markers ({{, }}) and does not escape JSON metacharacters such as ", \, or }.

An attacker submits a parameter value containing a closing quote followed by additional JSON keys. After interpolation and parsing, attacker-controlled fields are lifted into the filter object. For MongoDB find operations, the parsed filter passes directly to collection.find() at packages/server/src/integrations/mongodb.ts:506-510. Duplicate-key JSON parsing overrides the builder's intended {name: "..."} filter with {name: {$exists: true}}, returning every document in the collection.

Root Cause

The root cause is string-based parameter substitution into serialized JSON followed by parsing, combined with an incomplete deny-list validator. Because JSON metacharacters are not escaped, attacker input breaks out of the surrounding string context and injects new object keys.

Attack Vector

The attack requires no session or credentials. The authorized middleware at packages/server/src/middleware/authorized.ts:141-148 short-circuits when the query's role is PUBLIC. CSRF is not enforced on this path. POST /api/v2/queries/:queryId at packages/server/src/api/routes/query.ts:63 accepts the call with only an x-budibase-app-id header, which is publicly derivable from the published-app URL. Applied to an updateMany query at mongodb.ts:577-585, the same primitive widens the filter to the full collection while the builder-controlled $set body runs against every matched document.

No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-8qv3-p479-cj62 for technical details.

Detection Methods for CVE-2026-54350

Indicators of Compromise

  • Requests to POST /api/v2/queries/:queryId from unauthenticated sources carrying only the x-budibase-app-id header.
  • Request bodies containing JSON metacharacters (", \, }) inside query parameter values.
  • Unexpected surges in MongoDB find or updateMany operations returning or modifying entire collections.

Detection Strategies

  • Inspect Budibase server access logs for query parameters that contain unescaped quote or brace characters.
  • Correlate published-app query invocations with backend database operations that exceed typical result sizes.
  • Alert on MongoDB operators such as $exists, $ne, or $gt appearing in filters derived from user-supplied query parameters.

Monitoring Recommendations

  • Enable database audit logging on collections accessed by Budibase datasources and review sudden bulk read or write volumes.
  • Monitor egress from Budibase servers for anomalous data transfer sizes following query API calls.
  • Track deployment inventory to identify Budibase instances running versions prior to 3.39.12.

How to Mitigate CVE-2026-54350

Immediate Actions Required

  • Upgrade Budibase to version 3.39.12 or later without delay.
  • Audit all published apps and set query roles away from PUBLIC unless strictly required.
  • Review database contents and backups for signs of unauthorized modification since the affected versions were deployed.

Patch Information

Budibase fixed the vulnerability in version 3.39.12. The fix is documented in the GitHub Security Advisory GHSA-8qv3-p479-cj62. Deployments should update the budibase:budibase component and redeploy affected instances.

Workarounds

  • Remove or restrict PUBLIC queries from all published apps until the upgrade is complete.
  • Place Budibase behind an authenticating reverse proxy that blocks anonymous access to /api/v2/queries/.
  • Apply web application firewall rules that reject query parameter values containing unescaped JSON metacharacters.
bash
# Example WAF-style rule to block suspicious query parameters
# Reject POST /api/v2/queries/* bodies containing quote-brace injection patterns
SecRule REQUEST_URI "@beginsWith /api/v2/queries/" \
  "chain,deny,status:400,id:1054350,msg:'Budibase CVE-2026-54350 injection attempt'"
SecRule REQUEST_BODY "@rx \"\s*,\s*\"\$(exists|ne|gt|regex)\""

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.