Unauthenticated Access to Budibase Apps Exposes Database Contents
CVE-2026-54350

10CRITICAL

Key Information:

Vendor: Budibase
Status: Budibase
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-54350?

Budibase, an open-source low-code platform, has a vulnerability that allows unauthenticated visitors to access and manipulate sensitive database documents. This issue primarily affects versions prior to 3.39.12. An attacker can exploit this flaw by sending an HTTP request to a published Budibase app, enabling them to read every document in the associated MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collections. Additionally, if the application's builder has published a 'PUBLIC' write query, the attacker can modify all documents within the collection. The vulnerability arises from inadequate input validation in the query processing logic, allowing crafted inputs to bypass security checks, leading to potential information disclosure and data integrity issues. This critical oversight exemplifies the importance of stringent access controls and proper input sanitization to protect against unauthorized data exposure.

Affected Version(s)

budibase < 3.39.12

References

https://github.com/Budibase/budibase/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54350 Data

JSON