CVE-2026-54350: 
JavaScript 脆弱性の分析と軽減

CVE-2026-54350 is a critical anonymous NoSQL operator injection vulnerability in Budibase's @budibase/server npm package that allows unauthenticated attackers to bypass query filters and access or modify entire database collections. It affects all versions up to and including 3.39.0 (released 2026-05-20), with the fix introduced in version 3.39.12. The vulnerability was originally published on June 11, 2026, and added to the GitHub Advisory Database on June 23, 2026. It carries a CVSS v3.1 base score of 10.0 (Critical) (GitHub Advisory, Budibase Advisory).

The root cause lies in the enrichContext function (packages/server/src/sdk/workspace/queries/queries.ts:121-138), which substitutes user-supplied parameter values directly into raw JSON query bodies using processStringSync with {noEscaping: true}, then calls JSON.parse() on the result. The input validator validateQueryInputs (packages/server/src/api/controllers/query/index.ts:61-71) only rejects Handlebars markers ({{, }}) and does not escape JSON metacharacters such as ", \, or }. This allows an attacker to inject a closing quote followed by additional JSON keys — for example, supplying x","name":{"$exists":true},"$comment":"audit as a parameter value — which causes duplicate-key JSON parsing to override the builder's intended filter with attacker-controlled MongoDB operators. The resulting filter object is passed directly to collection.find() or collection.updateMany() with no operator allow-list. Critically, the authorized middleware short-circuits all authentication and CSRF checks when a query's role is PUBLIC, and the endpoint POST /api/v2/queries/:queryId requires only a publicly visible x-budibase-app-id header. SQL datasources (Postgres, MySQL, MSSQL, Oracle, MariaDB) are not affected because they use parameterized binding via interpolateSQL. Classified as CWE-89 and CWE-943 (GitHub Advisory, Budibase Advisory).

An unauthenticated attacker can read every document in any MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection exposed through a PUBLIC query, including sensitive fields such as password_hash, secret, api_token, and mfa_secret that the published query was never designed to return. Where a builder has published a PUBLIC write query, the attacker can modify or delete every document in the entire collection with a single HTTP request — far beyond the builder's intended single-document scope. The attack requires no session, no CSRF token, and no user interaction, and the scope change (affecting resources beyond the vulnerable component) contributes to the maximum CVSS score of 10.0 (GitHub Advisory, Budibase Advisory).

1. Reconnaissance: Identify a publicly accessible Budibase deployment by visiting the published app URL. Extract the x-budibase-app-id value from the app's public URL or network traffic — this header is exposed by design for public apps.
2. Identify PUBLIC queries: Browse the published Budibase app to discover query IDs used by public-facing forms or data tables. Query IDs can be observed in browser network requests when interacting with the app.
3. Craft the injection payload: Construct a parameter value that breaks out of the JSON string context. For a query with body {"name": "{{ name }}"}, supply the parameter value x","name":{"$exists":true},"$comment":"audit to override the filter.
4. Send the unauthenticated request: Issue a POST request to POST /api/v2/queries/<queryId> with only the x-budibase-app-id header and the injected parameters:

POST /api/v2/queries/<queryId> HTTP/1.1
Host: <target>
x-budibase-app-id: <app-id>
Content-Type: application/json

{"parameters":{"name":"x\",\"name\":{\"$exists\":true},\"$comment\":\"audit\""}}

5. Exfiltrate data: The server returns every document in the backing collection, including sensitive fields not intended to be exposed by the query.
6. Mass modification (if PUBLIC write query exists): Repeat the same injection against a PUBLIC updateMany query to apply the builder's $set operation to every document in the collection, effectively performing a mass data modification (GitHub Advisory, Budibase Advisory).

• Network: Unexpected POST requests to /api/v2/queries/<queryId> from unauthenticated sources (no session cookie, no Authorization header) with only an x-budibase-app-id header; parameter values in request bodies containing JSON metacharacters such as ", \, $exists, $gt, $ne, or other MongoDB operators.
• Logs: Budibase server logs showing POST /api/v2/queries/ requests returning unusually large response payloads (indicative of full collection dumps); repeated requests to the same query ID from the same IP with varying parameter values.
• Database: MongoDB/CouchDB/Elasticsearch query logs showing find operations with {$exists: true} or other broad operator filters originating from the Budibase server process; updateMany operations with a matched/modified count significantly higher than expected for single-document queries.
• Application Behavior: Sudden mass modification of documents in a collection (e.g., a touched: true field appearing on all documents); query response times spiking due to full-collection scans (GitHub Advisory).

Upgrade the @budibase/server npm package to version 3.39.12 or later, which is the patched release (GitHub Advisory, Budibase Advisory). As an interim workaround, review all published Budibase apps and change the role of any non-SQL queries (MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, REST with JSON body) from PUBLIC to a role requiring authentication, accepting that this will break anonymous access to those queries. Additionally, implement network-level controls (WAF rules, reverse proxy filtering) to block requests to /api/v2/queries/ endpoints that contain JSON metacharacters (", \, $) in parameter values. SQL datasources are not affected and require no action.

The vulnerability was discovered and reported by Jan Kahmen of turingpoint (jan@turingpoint.de) and was published by Budibase maintainer mjashanks on June 11, 2026 (Budibase Advisory). No significant broader media coverage or notable public researcher commentary beyond the advisory itself has been identified at this time.