External risk intelligence

Budibase Unauthenticated Data Exposure and Modification Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-54350

Budibase is a low-code platform designed to host and publish applications to the internet. The vulnerability affects published applications with public-facing query endpoints that are reachable by unauthenticated visitors over the internet by design.

SQL Injection

Budibase

before 3.39.12

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in the Budibase low-code platform, affecting publicly accessible applications. The flaw allows unauthenticated visitors to potentially read and modify all data within connected databases or collections. This could lead to significant data compromise and unauthorized alterations, as the platform's security controls are bypassed in this specific scenario.

  • Public apps can expose all their data.
  • Leadership should remember data access is the concern.
  • Confirm if any published apps are affected.

Attack Path

How an attacker could exploit the issue

An unauthenticated visitor to a published Budibase application can interact with its query endpoint. By crafting a specific HTTP request containing malicious input, an attacker can manipulate the way parameters are processed and inserted into database queries. This manipulation allows an attacker to bypass intended access controls and potentially read or modify sensitive data within connected databases like MongoDB.

  • Unauthenticated access to published app.
  • Malformed HTTP request to query API.
  • Read and modify database records.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated visitor to a published Budibase application could read or modify all documents within connected data collections, such as MongoDB, CouchDB, Elasticsearch, or DynamoDB, when public write queries are enabled. This occurs because the platform may not properly sanitize user input for raw query bodies, allowing specially crafted requests to bypass intended filters and execute unintended operations.

  • Sensitive data in connected databases.
  • Unsanitized input sent to data queries.
  • Unauthorized data modification or exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners, platform teams, and infrastructure teams are likely responsible for addressing this vulnerability in Budibase. The first practical step is to identify all deployed instances of Budibase, determine which published applications are exposed to the internet, and confirm if they are business-critical. This will allow for accurate risk assessment and prioritization of remediation efforts, potentially involving coordination with the Budibase vendor or applying the fix during scheduled maintenance.

  • Application owners and platform teams.
  • Verify public app query endpoint exposure.
  • Plan vendor coordination or upgrade.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Budibase and how is it used?

Budibase is an open-source, low-code platform that allows developers to quickly build and deploy internal or external-facing business applications. It connects to various databases like MongoDB, CouchDB, and Elasticsearch, providing a graphical interface for teams to manage data, create forms, and automate workflows without writing extensive custom code.

What is the vulnerability in CVE-2026-54350?

This vulnerability is an injection flaw, specifically categorized as Improper Neutralization of Special Elements used in an SQL Command or database query (CWE-89 and CWE-943). Because the platform fails to properly escape JSON characters in user input, an attacker can manipulate query parameters to override filters, effectively tricking the database into returning all records or executing unauthorized write commands.

How can an attacker trigger this issue?

An attacker triggers this by sending a crafted HTTP request to a published Budibase application's query endpoint. The attack relies on input containing specific characters, like closing quotes, that break out of the intended query structure. Requests that do not contain these specific malformed JSON patterns or that interact with queries not marked as PUBLIC by the app builder will not trigger this vulnerability.

Is my published app at risk?

Halo Surface Signal identifies that this issue is very likely to affect organizations because Budibase apps are frequently published to the internet by design. If you have applications that are reachable by unauthenticated visitors and use database queries, they are considered exposed and require review, as the platform's security middleware does not enforce authentication for these public query paths.

What should I do to secure my Budibase installation?

The most critical step is to update your Budibase instance to version 3.39.12 or later, which contains the necessary security fixes. Prior to updating, identify all your published applications and verify their database connections to understand what data might be reachable. Prioritize applications that handle sensitive information and coordinate with your team to apply the patch during your next maintenance window.

References