Description
Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP object defines the valid calculation types (sum, count, stats), no actual validation is performed against this map before the value is used in string interpolation. A user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried. This vulnerability is fixed in 3.38.1.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because Budibase’s V1 Views API naively interpolates a calculation parameter into a CouchDB reduce function without validating it against the defined schema map. This lack of validation permits a malicious payload that is treated as JavaScript code by the CouchDB engine. An attacker who can send a POST to /api/views with a crafted calculation value can cause arbitrary JavaScript execution inside the database on any query of that view, leading to full compromise of the database instance. The flaw is a classic injection flaw (CWE‑94).

Affected Systems

Budibase, the open‑source low‑code platform, is affected in all releases prior to 3.38.1. No further version details are supplied beyond the stated fixed release. Users running older Budibase installations must verify that the calculation parameter is no longer interpolated directly into the reduce function.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is not available, so the current exploitation likelihood cannot be quantified from the data. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a user with Builder permissions to construct a malicious POST to the Views API; therefore the attack vector is a legitimate API call within an authenticated session. Because the flaw is a code injection into the database’s JavaScript environment, any successful exploitation would grant an attacker complete control over the database and potentially the host. Stakeholders should treat this as a high‑risk situation where an internal attacker could compromise system integrity.

Generated by OpenCVE AI on May 27, 2026 at 19:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to release 3.38.1 or later where the calculation parameter is properly validated and the reduce function definition is no longer susceptible to injection.
  • If an upgrade is not immediately possible, restrict Builder-level permissions so that only trusted users can execute POST /api/views requests, effectively reducing the attack surface.
  • As a temporary workaround, manually modify the application’s request handling to filter or whitelist the calculation parameter before it is used in the reduce function definition, ensuring only the allowed values (sum, count, stats) are accepted.

Generated by OpenCVE AI on May 27, 2026 at 19:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-363w-hvwh-w7m6 Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
History

Thu, 28 May 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP object defines the valid calculation types (sum, count, stats), no actual validation is performed against this map before the value is used in string interpolation. A user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried. This vulnerability is fixed in 3.38.1.
Title Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:36:23.178Z

Reserved: 2026-05-13T05:51:48.666Z

Link: CVE-2026-45719

cve-icon Vulnrichment

Updated: 2026-05-27T18:34:56.623Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:26.010

Modified: 2026-06-17T10:52:30.050

Link: CVE-2026-45719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:15:05Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')