Unrated

Unauthenticated NoSQL operator injection in Budibase published-app query templates

IdentifiersCVE-2026-54350CWE-943

CVE-2026-54350 affects Budibase prior to version 3.39.12. The flaw is in how published-app query templates process user-supplied parameters for JSON-based backend queries. In enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138, Budibase substitutes parameter values directly into a raw JSON query body and then parses the resulting string with JSON.parse(). Input validation in validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 blocks only Handlebars markers such as {{ and }}, but does not escape JSON metacharacters including quotes, backslashes, or closing braces. As a result, an attacker can inject crafted parameter values that break out of the intended JSON value and introduce attacker-controlled fields or operators into the parsed query object. For MongoDB find operations, the attacker-influenced filter is passed directly to collection.find() at packages/server/src/integrations/mongodb.ts:506-510, enabling filter manipulation such as replacing a builder-defined predicate with one that matches the full collection. The same primitive can be used against updateMany at mongodb.ts:577-585 to broaden the update scope to all documents while preserving the builder-defined update body. The issue is reachable without authentication because the authorized middleware at packages/server/src/middleware/authorized.ts:141-148 short-circuits for queries marked PUBLIC, and POST /api/v2/queries/:queryId accepts requests without a session when supplied with the publicly obtainable x-budibase-app-id header. Affected backends include MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, and REST-with-JSON-body collections.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated visitor of a published Budibase app to read every document exposed through affected PUBLIC queries across supported non-SQL or JSON-body backends. Where a PUBLIC write query exists, the attacker can also widen the filter scope so that builder-defined write operations apply to every document in the collection. This results in full unauthorized data disclosure and potentially mass unauthorized modification of records. The provided context states the issue is remotely exploitable and has a CVSS 3.1 base score of 10.0, reflecting high confidentiality, integrity, and availability impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, remove or restrict PUBLIC access to affected queries in published apps, require authentication for query execution, and unpublish or disable public forms or workflows that expose JSON-body query templating. Avoid exposing non-SQL queries as PUBLIC, particularly write queries. Review published applications for publicly reachable query endpoints and minimize or eliminate anonymous access until the upgrade is completed.

Remediation

Patch, then assume compromise.

Upgrade Budibase to version 3.39.12 or later, which fixes the vulnerable query templating behavior. In addition to patching, review all published apps for PUBLIC non-SQL or JSON-body queries, especially read and write queries backed by MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body integrations. Assess whether sensitive data was exposed or modified and remediate accordingly, including data review and recovery where necessary.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BudibaseServerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Jun 26, 2026

CVE-2026-54350 - Budibase: Anonymous NoSQL operator injection via published-app query templates

A critical unauthenticated NoSQL/operator injection vulnerability in Budibase published-app query templates that can allow attackers to read all documents from backend data stores and, in some cases, modify all documents via public write queries.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-54350

NVD

nvd.nist.gov/vuln/detail/CVE-2026-54350

MITRE CWE · CWE-943

cwe.mitre.org