CRITICAL🇵🇱 Wersja polska

CVE-2026-27702

CVSS 9.9v3.1pub. 2026-02-25upd. 2026-03-02

Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch.

🤖 AI Analysis
How it works

In the file packages/server/src/db/inMemoryView.ts, user-supplied view mapping functions are passed directly to eval() without any sanitization or validation (CWE-20, CWE-94, CWE-95). An attacker can prepare a malicious payload as a view filter function and execute it in the context of the application server process. The environment under app-service contains environment variables with sensitive secrets, including INTERNAL_API_KEY, JWT_SECRET, CouchDB administrator credentials, and AWS keys, which become available to the attacker after exploitation. Obtaining CouchDB credentials enables direct access to the database, enumeration of databases for all tenants, and reading user records (including email addresses).

Impact

An attacker can execute arbitrary JavaScript code on the server (RCE), extract all sensitive environment secrets (API keys, JWT, CouchDB data, AWS keys), and gain full access to the databases of all tenants and the user data contained in them.

Mitigation & patch

Budibase should be updated to version 3.30.4, which contains the fix. Users using Budibase Cloud should verify that the provider has deployed the update. Self-hosted instances do not require remedial action in connection with this vulnerability.

Who is affected

Budibase in Cloud version (SaaS) earlier than 3.30.4 — only the Budibase Cloud environment; self-hosted deployments are not vulnerable.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
  • Budibase

    APP
    Budibase
    < 3.30.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-54350CRITICAL10.0PL ✓ten sam produkt

SQL/NoSQL Injection w Budibase — nieautoryzowany odczyt i zapis danych

CVE-2026-54352CRITICAL9.6PL ✓ten sam produkt

Budibase: path traversal przez symlink w endpoint przetwarzania ZIP

CVE-2026-41428CRITICAL9.1PL ✓ten sam produkt

Budibase: pominięcie uwierzytelnienia przez manipulację query string

CVE-2026-35216CRITICAL9.0PL ✓ten sam produkt

Budibase: nieuwierzytelniony RCE przez publiczny webhook i krok Bash

CVE-2026-31818CRITICAL9.6PL ✓ten sam produkt

SSRF w Budibase — nieaktywna ochrona blacklisty IP umożliwia dowolne żądania