Budibase NoSQL Operator Injection (CVE-2026-54350)
An unauthenticated attacker can exploit CVE-2026-54350, a NoSQL operator injection vulnerability in Budibase server versions prior to 3.39.12, by injecting malicious parameters into public-facing query templates, enabling them to bypass intended query filters, read all documents including sensitive information, and modify all documents within affected collections with a single HTTP request.
What's new
- l2 poc_available Jul 7, 02:03 via sploitus
A critical NoSQL operator injection vulnerability, tracked as CVE-2026-54350, affects Budibase server versions up to 3.39.0 (and npm package @budibase/server versions < 3.39.12). This flaw stems from improper input validation and handling within the enrichContext and validateQueryInputs functions when processing query templates for MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body datasources. An unauthenticated attacker can craft a malicious JSON payload in a parameter value that contains specific JSON metacharacters. When this payload is substituted into a raw JSON query body and subsequently parsed, it can overwrite the intended query logic, such as a {name: "..."} filter being replaced by {name: {$exists: true}}. This allows the attacker to read and modify entire database collections, including sensitive data, using a single HTTP request to a publicly accessible API endpoint, without requiring authentication or bypassing CSRF protections.
Attack Chain
- An attacker identifies a published Budibase application that uses a non-SQL datasource (MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body) and has a
PUBLICrole assigned to at least one query (e.g.,GetUserByName). - The attacker, unauthenticated, sends an HTTP
POSTrequest to/api/v2/queries/:queryIdfor the identified public read query, including anx-budibase-app-idheader. - The request body contains a JSON payload with the
parametersfield where a parameter (e.g.,name) is injected with a crafted string likex",\"name\":{\"$exists\":true},\"$comment\":\"audit". - Budibase's
enrichContextfunction substitutes this raw parameter value directly into the query's JSON body string without proper JSON-string escaping. - The subsequent
JSON.parseoperation on the malformed string results in a parsed filter object (e.g.,collection.find()) where the attacker's injected$exists:trueclause overrides the legitimate filter, effectively widening the scope to return all documents. - The Budibase server returns all documents from the collection, including sensitive fields not intended for public exposure (e.g.,
password_hash,secret), to the unauthenticated attacker. - If a
PUBLICwrite query (e.g.,updateMany) is available, the attacker can similarly inject a payload to widen thefilterscope, causing theupdateManyoperation to affect all documents in the collection, leading to widespread data modification or destruction.
Impact
Successful exploitation of CVE-2026-54350 allows an unauthenticated visitor to conduct broad data breaches and integrity compromises. This includes the anonymous reading of every document within any MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection exposed via a PUBLIC query. Attackers can exfiltrate sensitive data such as password_hash, secret, api_token, and mfa_secret from columns not intended to be returned. Furthermore, where a PUBLIC update, delete, or aggregate query exists, attackers can anonymously modify or destroy every document in that collection, extending beyond the original builder's intended single-document scope. All of this can be achieved with a single HTTP request, bypassing session and CSRF protections.
Recommendation
- Patch CVE-2026-54350 immediately: Upgrade your Budibase server instances to version 3.39.12 or newer to remediate the vulnerability. Refer to the official Budibase release notes and patching guidance.
- Deploy the provided Sigma rule: Implement the
Detect CVE-2026-54350 ExploitationSigma rule in your SIEM to identify attempts at NoSQL operator injection against your Budibase applications. - Monitor webserver logs: Specifically look for
POSTrequests to/api/v2/queries/:queryIdcontaining JSON body parameters with suspicious injection patterns (e.g.,",\\\"$exists\\\":true") incs-uri-queryor equivalent fields. - Audit public queries: Review all
PUBLICrole-assigned queries in your Budibase applications, especially those interacting with MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body datasources, to ensure sensitive data is not inadvertently exposed or modifiable.
Detection coverage 1
Detect CVE-2026-54350 Exploitation — Budibase NoSQL Operator Injection Attempt
highDetects CVE-2026-54350 exploitation — crafted JSON injection patterns in POST requests to Budibase public query API endpoints indicating NoSQL operator injection attempts.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
other
2
url
| Type | Value |
|---|---|
| url | https://sploitus.com/exploit?id=E7208285-7740-58AA-9601-BD03EDB2275F |
| url | https://github.com/Budibase/budibase/security/advisories/GHSA-8qv3-p479-cj62 |
| other | zzz","name":{"$exists":true},"$comment":"cve-2026-54350 |