PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45719 Budibase CVE debrief

## Summary Budibase versions prior to 3.38.1 contain a server-side code injection vulnerability in the V1 Views API. The `POST /api/views` endpoint accepts a `calculation` parameter that is interpolated directly into a CouchDB reduce function definition without validation, despite the existence of an internal `SCHEMA_MAP` object that defines valid calculation types (`sum`, `count`, `stats`). A user with Builder permissions can inject arbitrary JavaScript code that executes within the CouchDB JavaScript engine when the view is queried. ## Technical Analysis The vulnerability stems from a validation gap between schema definition and enforcement. While Budibase maintains an internal `SCHEMA_MAP` that enumerates permissible calculation types, the application fails to verify incoming `calculation` values against this whitelist before string interpolation occurs. This allows attackers with Builder-level access—an authenticated, privileged but non-administrative role—to supply malicious JavaScript payloads through the calculation parameter. The injected code executes within CouchDB's JavaScript query server environment. This is a server-side context with access to the database's reduce function execution, creating a code injection primitive that bypasses normal application-layer controls. The attack vector requires: - **Network access** to the Budibase instance - **Valid Builder credentials** (authenticated, high-privilege account) - **Ability to create or modify views** via the V1 API The CVSS 3.1 vector (`CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N`) reflects this: Network attack vector, Low attack complexity, High privileges required, No user interaction, Unchanged scope, with High impact to Confidentiality and Integrity but no Availability impact. ## Affected Versions - **Vulnerable**: Budibase versions prior to 3.38.1 - **Fixed**: Budibase 3.38.1 and later ## Risk Assessment | Factor | Assessment | |--------|-----------| | Exploitability | Moderate—requires authenticated Builder access, but no social engineering or complex prerequisites | | Impact | High—arbitrary code execution in database context enables data exfiltration, manipulation, and lateral信任|

Vendor
Budibase
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running self-hosted Budibase instances with multiple Builder users; security teams managing low-code platform governance; CouchDB administrators supporting Budibase deployments

Technical summary

The V1 Views API in Budibase prior to 3.38.1 fails to validate the `calculation` parameter against its internal `SCHEMA_MAP` before interpolating it into CouchDB reduce function definitions. This allows Builder-role users to inject and execute arbitrary JavaScript within the CouchDB JavaScript engine.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Budibase to version 3.38.1 or later to remediate the code injection vulnerability in the V1 Views API
  • Audit existing views for unexpected calculation parameters that may indicate prior exploitation
  • Restrict Builder role assignments to trusted users until patching is complete
  • Monitor CouchDB query server logs for anomalous JavaScript execution patterns
  • Review application logs for POST requests to /api/views with non-standard calculation values
  • Implement network segmentation to limit exposure of Budibase administrative interfaces
  • Validate that any custom view creation workflows enforce calculation parameter whitelisting

Evidence notes

Vulnerability description derived from official CVE record and GitHub Security Advisory GHSA-363w-hvwh-w7m6. Fix version confirmed via Budibase release tag 3.38.1. CVSS vector and scoring from NVD record. CWE-94 (Improper Control of Generation of Code) classification from advisory source.

Official resources

2026-05-27