Description
Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write query, modifies every document of that collection with one HTTP request. enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars markers ({{, }}) in user input and does not escape JSON metacharacters (", \, }). A parameter value containing a closing quote and additional keys lifts attacker-controlled fields into the parsed filter object. For Mongo find, the parsed filter passes directly to collection.find() (packages/server/src/integrations/mongodb.ts:506-510). Duplicate-key JSON parsing overrides the builder's {name: "..."} with {name: {$exists: true}} and returns every document. The same primitive against an updateMany query (mongodb.ts:577-585) widens the filter scope to the full collection while the builder-controlled $set body runs against every matched document. The authorized middleware at packages/server/src/middleware/authorized.ts:141-148 short-circuits when the query's role is PUBLIC. CSRF is not enforced on this path. POST /api/v2/queries/:queryId (packages/server/src/api/routes/query.ts:63) accepts the call with no session, only an x-budibase-app-id header that is public from the published-app URL. This vulnerability is fixed in 3.39.12.
Published: 2026-06-26
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Budibase, an open‑source low‑code platform, contains a NoSQL operator injection flaw that allows an unauthenticated visitor of any published application to inject crafted parameter values into raw JSON query bodies. The vulnerability arises because the platform substitutes user supplied values directly into the JSON body, only stripping Handlebars markers but not escaping JSON metacharacters. An attacker can append a closing quote followed by additional keys, causing the injected keys to become part of the parsed filter object. For MongoDB, the resulting filter is passed straight to collection.find() or updateMany(), which, when combined with a duplicate‑key override (for example, {"name":{$exists:true}} replacing a builder supplied name), results in every document in the target collection being returned or modified. The effect is a full compromise of confidentiality and integrity for all data stored in the underlying database, spanning MongoDB, CouchDB, Elasticsearch, DynamoDB PartiQL, or REST‑with‑JSON‑body collections.

Affected Systems

Budibase version releases prior to 3.39.12, as distributed by the Budibase: budibase product, are affected. Any published Budibase application that exposes a PUBLIC read or write query, regardless of the underlying NoSQL backend, is vulnerable. The fix is included in Budibase 3.39.12; users must upgrade to that version or later.

Risk and Exploitability

The CVSS score is 10, indicating a critical severity. The EPSS score is not available, but the vulnerability is not currently listed in the CISA Known Exploit Vulnerabilities catalog. The attacker requires only the public application ID header and a crafted HTTP POST to /api/v2/queries/:queryId; no authentication or proper CSRF protection is enforced. Consequently, the attack can be performed from any network with access to the public endpoint, making exploitation trivially feasible.

Generated by OpenCVE AI on June 26, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.39.12 or later.
  • Reconfigure published applications so that all queries are set to PRIVATE or remove PUBLIC roles, ensuring that no unauthenticated read or write queries are exposed.
  • Enforce authentication and CSRF protections on the /api/v2/queries endpoint, and consider blocking unauthenticated HTTP POST traffic from untrusted networks.
  • Review recent logs for unusual data retrieval or modification patterns that could indicate exploitation.

Generated by OpenCVE AI on June 26, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8qv3-p479-cj62 Budibase has nonymous NoSQL operator injection via published-app query templates
History

Fri, 26 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write query, modifies every document of that collection with one HTTP request. enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars markers ({{, }}) in user input and does not escape JSON metacharacters (", \, }). A parameter value containing a closing quote and additional keys lifts attacker-controlled fields into the parsed filter object. For Mongo find, the parsed filter passes directly to collection.find() (packages/server/src/integrations/mongodb.ts:506-510). Duplicate-key JSON parsing overrides the builder's {name: "..."} with {name: {$exists: true}} and returns every document. The same primitive against an updateMany query (mongodb.ts:577-585) widens the filter scope to the full collection while the builder-controlled $set body runs against every matched document. The authorized middleware at packages/server/src/middleware/authorized.ts:141-148 short-circuits when the query's role is PUBLIC. CSRF is not enforced on this path. POST /api/v2/queries/:queryId (packages/server/src/api/routes/query.ts:63) accepts the call with no session, only an x-budibase-app-id header that is public from the published-app URL. This vulnerability is fixed in 3.39.12.
Title Budibase: Anonymous NoSQL operator injection via published-app query templates
Weaknesses CWE-89
CWE-943
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T20:44:00.337Z

Reserved: 2026-06-12T19:23:22.317Z

Link: CVE-2026-54350

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-943

    Improper Neutralization of Special Elements in Data Query Logic