Overview
CVE-2026-54350 is a critical (CVSS 10.0) vulnerability in Budibase, an open-source low-code platform used to build internal tools and web applications. The flaw enables any unauthenticated visitor of a published Budibase application to read every document stored in the app's backing data collections and, where the builder has published a public write query, to write arbitrary data as well.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-54350 |
| CVSS Score | 10.0 (Critical) |
| Affected Software | Budibase < 3.39.12 |
| Fixed Version | 3.39.12 |
| Disclosure Date | 2026-06-26 |
| Attack Vector | Network (unauthenticated) |
Vulnerability Details
Budibase supports multiple backing data sources for its published apps, including:
- MongoDB
- CouchDB
- Elasticsearch
- DynamoDB (PartiQL)
- REST APIs with JSON body collections
Prior to version 3.39.12, an unauthenticated HTTP request to a published Budibase app could bypass the platform's authorization checks and directly read every document in any of these collection types. Furthermore, if the application builder had published a query configured for public write access, the attacker could submit arbitrary data to that query — effectively gaining unauthenticated write access to the underlying datastore.
This is a complete authentication bypass on the data access layer, earning the maximum CVSS score of 10.0.
Impact
Organizations running Budibase apps that expose internal databases or CRMs through the low-code interface are at risk of:
- Full data exfiltration of all collection documents without any credentials
- Unauthorized data manipulation in apps with public write queries enabled
- Sensitive PII, business data, and internal records exposure
Because Budibase is commonly used to build internal tools from existing databases, the blast radius depends on what data lives in the backing collections — which can include employee records, customer data, financial information, and more.
Affected Configurations
The vulnerability affects all Budibase deployments (self-hosted and cloud) running versions prior to 3.39.12 where:
- At least one Budibase app has been published (made accessible to visitors)
- The app connects to MongoDB, CouchDB, Elasticsearch, DynamoDB (PartiQL), or a REST data source returning JSON
Remediation
Update immediately to Budibase 3.39.12 or later.
For self-hosted deployments:
# Docker Compose
docker compose pull && docker compose up -d
# Docker single container
docker pull budibase/budibase:latest
docker stop budibase && docker rm budibase
docker run -d ... budibase/budibase:latestIf an immediate upgrade is not possible:
- Take published apps offline or restrict network access until patched
- Audit app access logs for unexpected GET/POST requests to data query endpoints
- Review which collections are exposed through published apps
Indicators of Exploitation
Review web server / Budibase access logs for:
- High-volume unauthenticated requests to
/api/queries/or data source endpoints - Requests missing authentication headers that received
200 OKresponses on data endpoints - Unusual source IPs accessing collection APIs