SCA: security update for @budibase/server (GHSA-8qv3-p479-cj62)

critical Tenable Self-Hosted Container Security Plugin ID 443816

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any
published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-
PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write query,
modifies every document of that collection with one HTTP request. enrichContext at
packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw
JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at
packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars markers ({{, }}) in user
input and does not escape JSON metacharacters (", \, }). A parameter value containing a closing quote and
additional keys lifts attacker-controlled fields into the parsed filter object. For Mongo find, the parsed
filter passes directly to collection.find() (packages/server/src/integrations/mongodb.ts:506-510).
Duplicate-key JSON parsing overrides the builder's {name: "..."} with {name: {$exists: true}} and returns
every document. The same primitive against an updateMany query (mongodb.ts:577-585) widens the filter
scope to the full collection while the builder-controlled $set body runs against every matched document.
The authorized middleware at packages/server/src/middleware/authorized.ts:141-148 short-circuits when the
query's role is PUBLIC. CSRF is not enforced on this path. POST /api/v2/queries/:queryId
(packages/server/src/api/routes/query.ts:63) accepts the call with no session, only an x-budibase-app-id
header that is public from the published-app URL. This vulnerability is fixed in 3.39.12. (CVE-2026-54350)

Solution

Update the @budibase/server library and its related packages to version 3.39.12 or later.

See Also

https://github.com/advisories/GHSA-8qv3-p479-cj62

Plugin Details

Severity: Critical

ID: 443816

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 6/23/2026

Updated: 7/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 57.73

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-54350

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/23/2026

Vulnerability Publication Date: 6/23/2026

Reference Information

CVE: CVE-2026-54350