Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-54350: Budibase Unauthenticated Database Read & Write (CVSS 10.0)
CVE-2026-54350: Budibase Unauthenticated Database Read & Write (CVSS 10.0)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-54350

CVE-2026-54350: Budibase Unauthenticated Database Read & Write (CVSS 10.0)

A critical CVSS 10.0 flaw in Budibase allows unauthenticated visitors of any published app to read every document in backing database collections and...

Dylan H.

Security Team

June 27, 2026
3 min read

Affected Products

  • Budibase < 3.39.12

Overview

CVE-2026-54350 is a critical (CVSS 10.0) vulnerability in Budibase, an open-source low-code platform used to build internal tools and web applications. The flaw enables any unauthenticated visitor of a published Budibase application to read every document stored in the app's backing data collections and, where the builder has published a public write query, to write arbitrary data as well.

FieldDetails
CVE IDCVE-2026-54350
CVSS Score10.0 (Critical)
Affected SoftwareBudibase < 3.39.12
Fixed Version3.39.12
Disclosure Date2026-06-26
Attack VectorNetwork (unauthenticated)

Vulnerability Details

Budibase supports multiple backing data sources for its published apps, including:

  • MongoDB
  • CouchDB
  • Elasticsearch
  • DynamoDB (PartiQL)
  • REST APIs with JSON body collections

Prior to version 3.39.12, an unauthenticated HTTP request to a published Budibase app could bypass the platform's authorization checks and directly read every document in any of these collection types. Furthermore, if the application builder had published a query configured for public write access, the attacker could submit arbitrary data to that query — effectively gaining unauthenticated write access to the underlying datastore.

This is a complete authentication bypass on the data access layer, earning the maximum CVSS score of 10.0.

Impact

Organizations running Budibase apps that expose internal databases or CRMs through the low-code interface are at risk of:

  • Full data exfiltration of all collection documents without any credentials
  • Unauthorized data manipulation in apps with public write queries enabled
  • Sensitive PII, business data, and internal records exposure

Because Budibase is commonly used to build internal tools from existing databases, the blast radius depends on what data lives in the backing collections — which can include employee records, customer data, financial information, and more.

Affected Configurations

The vulnerability affects all Budibase deployments (self-hosted and cloud) running versions prior to 3.39.12 where:

  1. At least one Budibase app has been published (made accessible to visitors)
  2. The app connects to MongoDB, CouchDB, Elasticsearch, DynamoDB (PartiQL), or a REST data source returning JSON

Remediation

Update immediately to Budibase 3.39.12 or later.

For self-hosted deployments:

# Docker Compose
docker compose pull && docker compose up -d
 
# Docker single container
docker pull budibase/budibase:latest
docker stop budibase && docker rm budibase
docker run -d ... budibase/budibase:latest

If an immediate upgrade is not possible:

  1. Take published apps offline or restrict network access until patched
  2. Audit app access logs for unexpected GET/POST requests to data query endpoints
  3. Review which collections are exposed through published apps

Indicators of Exploitation

Review web server / Budibase access logs for:

  • High-volume unauthenticated requests to /api/queries/ or data source endpoints
  • Requests missing authentication headers that received 200 OK responses on data endpoints
  • Unusual source IPs accessing collection APIs

References

  • NVD Entry — CVE-2026-54350
  • Budibase GitHub Security Advisories
#CVE#Vulnerability#Budibase#Low-Code#Database#Critical

Related Articles

CVE-2026-54352: Budibase Zip Upload Path Traversal Enables Remote Code Execution (CVSS 9.6)

A critical path traversal vulnerability in Budibase's zip upload endpoint allows attackers to write arbitrary files outside the intended temp directory,...

3 min read

CVE-2026-54414: FileRise Path Traversal Enables Arbitrary File Write and Admin Takeover

A critical path traversal vulnerability in FileRise before 3.16.0 allows unauthenticated attackers to write arbitrary files and completely compromise...

5 min read

CVE-2026-7515: BetterDocs Pro WordPress Plugin — Unauthenticated Local File Inclusion

A critical Local File Inclusion vulnerability in the BetterDocs Pro WordPress plugin (up to v3.8.0) allows unauthenticated attackers to include and...

6 min read
Back to all Security Alerts