EXECUTIVE SUMMARY:
CVE-2026-54350 with a CVSS score of 10.0 is a critical injection flaw in the @budibase/server npm package affecting all versions prior to 3.39.12, where the server’s query templating logic improperly injects raw parameter values into a JSON query body without escaping JSON metacharacters. An attacker can craft a malicious payload containing a closing quote and additional JSON keys, which is then parsed by JSON.parse and merged into the filter object used by MongoDB find or updateMany operations. Because the authorized middleware bypasses authentication for queries marked PUBLIC, an unauthenticated visitor can trigger the exploit via a simple POST to /api/v2/queries/:queryId with only the public x-budibase-app-id header. Successful exploitation allows the attacker to read every document in the backing NoSQL datastore (MongoDB, CouchDB, Elasticsearch, DynamoDB‑PartiQL, or REST‑JSON) and, where a PUBLIC write query exists, modify all records in a single request. The business impact includes full data exfiltration, unauthorized data modification, loss of data integrity, regulatory non‑compliance, and potential reputational damage. Exploitation requires that a workspace builder has set a non‑SQL query role to PUBLIC and published the app, providing the necessary conditions for the attack.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-54350 with a CVSS score of 10.0 is a critical injection flaw in the @budibase/server npm package affecting all versions prior to 3.39.12, where the server’s query templating logic improperly injects raw parameter values into a JSON query body without escaping JSON metacharacters. An attacker can craft a malicious payload containing a closing quote and additional JSON keys, which is then parsed by JSON.parse and merged into the filter object used by MongoDB find or updateMany operations. Because the authorized middleware bypasses authentication for queries marked PUBLIC, an unauthenticated visitor can trigger the exploit via a simple POST to /api/v2/queries/:queryId with only the public x-budibase-app-id header. Successful exploitation allows the attacker to read every document in the backing NoSQL datastore (MongoDB, CouchDB, Elasticsearch, DynamoDB‑PartiQL, or REST‑JSON) and, where a PUBLIC write query exists, modify all records in a single request. The business impact includes full data exfiltration, unauthorized data modification, loss of data integrity, regulatory non‑compliance, and potential reputational damage. Exploitation requires that a workspace builder has set a non‑SQL query role to PUBLIC and published the app, providing the necessary conditions for the attack.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-8qv3-p479-cj62