CVE-2026-54350 Budibase CVE debrief

Who should care

Budibase users and administrators should be aware of this critical vulnerability and take immediate action to update to version 3.39.12 or later. Additionally, users who have published Budibase apps with PUBLIC write queries should review their apps for potential modifications. Security teams should also be aware of the potential for unauthenticated access to sensitive data.

Technical summary

The vulnerability is caused by a combination of two factors: the enrichContext function, which substitutes parameter values into the raw JSON body of a query, and the validateQueryInputs function, which does not escape JSON metacharacters. This allows an attacker to inject malicious JSON code, potentially returning every document in the collection or modifying documents without authorization. The vulnerability affects Budibase versions prior to 3.39.12 and is fixed in version 3.39.12.

Defensive priority

This vulnerability has a CVSS score of 10 and a severity of CRITICAL. Budibase users and administrators should prioritize updating to version 3.39.12 or later as soon as possible.

Recommended defensive actions

• Update to Budibase version 3.39.12 or later
• Review published Budibase apps for potential modifications
• Monitor for suspicious activity
• Implement additional security measures, such as authentication and authorization, for Budibase apps
• Review and update security configurations for Budibase installations

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and severity. The source item URL provides additional information on the vulnerability, including references to security advisories.

Official resources