Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch.
Published: 2026-02-25
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An unsafe use of eval() in Budibase’s view filtering implementation allows an authenticated user to execute arbitrary JavaScript on the server. Because the eval() call evaluates user‑controlled map functions with no sanitization, a malicious actor can run code with the same privileges as the app‑service pod, exposing internal secrets and database credentials. This can ultimately compromise the entire deployment, including user data, API keys, and other sensitive information.

Affected Systems

Budibase servers that run the Budibase Cloud (SaaS) offering and use software versions prior to 3.30.4 are vulnerable. Self‑hosted deployments are not affected because they rely on native CouchDB views, which are not processed by the vulnerable component. Any SaaS instance where the app‑service runs with environment variables containing secrets such as INTERNAL_API_KEY, JWT_SECRET, CouchDB admin credentials, and AWS keys is at risk.

Risk and Exploitability

The CVSS score of 9.9 reflects a high‑severity remote code execution vulnerability that requires only authentication. The EPSS score of < 1% indicates that current exploitation attempts are rare, yet the impact of a successful exploit is substantial, providing full server compromise and data exfiltration. Because the vulnerability is not listed in the KEV catalog, there is no trace of widespread use, but the presence of privileged secrets in the pod’s environment makes exploitation extremely valuable to attackers. Attackers can trigger the flaw by crafting a malicious view filter through the cloud interface, requiring only valid user credentials.

Generated by OpenCVE AI on April 17, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.30.4 or later, which removes the unsafe eval() usage.
  • If an immediate upgrade is not possible, disable or restrict the use of custom view map functions to read‑only execution contexts.
  • rotate any exposed secrets or credentials that could have been compromised during exploitation, such as CouchDB admin keys, AWS access keys and secrets, and JWT signing keys.
  • monitor application logs for unexpected JavaScript execution or unauthorized database queries to detect attempts in progress.

Generated by OpenCVE AI on April 17, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rvhr-26g4-p2r8 Budibase: Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)
History

Mon, 02 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch.
Title Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)
Weaknesses CWE-20
CWE-94
CWE-95
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T20:43:35.833Z

Reserved: 2026-02-23T17:56:51.202Z

Link: CVE-2026-27702

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T16:23:26.777

Modified: 2026-03-02T19:31:39.263

Link: CVE-2026-27702

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses