CVE-2026-54350

Name of the Vulnerable Software and Affected Versions Budibase server versions prior to 3.39.1

Description An issue exists where the enrichContext function substitutes parameter values into the raw JSON body of a query and then parses the result using JSON.parse. The validateQueryInputs function fails to escape JSON metacharacters such as ", ``, and }, only rejecting Handlebars markers. This allows an attacker to inject closing quotes and additional keys, lifting attacker-controlled fields into the parsed filter object.

For MongoDB find operations, the parsed filter is passed directly to collection.find(), allowing an attacker to override filters and return every document in a collection. Similarly, against updateMany queries, the filter scope can be widened to the entire collection, causing the $set body to run against every matched document.

The authorized middleware skips authentication and CSRF checks when a query's role is set to PUBLIC. Consequently, an unauthenticated visitor can use the POST /api/v2/queries/:queryId endpoint, providing only a public x-budibase-app-id header, to read or modify every document in backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collections.

Recommendations Update Budibase server to a version later than 3.39.0. As a temporary workaround, avoid setting the role of non-SQL queries (MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST with bodyType=json) to PUBLIC until the update is applied.