CVE-2026-27702
📋 TL;DR
This CVE describes a critical server-side JavaScript injection vulnerability in Budibase Cloud (SaaS) that allows any authenticated user to execute arbitrary code on the server via unsafe eval() in view filtering. The vulnerability exposes sensitive environment variables including database credentials, API keys, and secrets. Only Budibase Cloud deployments are affected - self-hosted installations using native CouchDB views are not vulnerable.
💻 Affected Systems
- Budibase Cloud (SaaS)
📦 What is this software?
Budibase by Budibase
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Budibase Cloud environment, extraction of all secrets and credentials, unauthorized access to all tenant databases, potential data exfiltration, and lateral movement within the cloud infrastructure.
Likely Case
Attackers gain access to sensitive environment variables, extract CouchDB credentials, access tenant databases, and potentially compromise user data including email addresses and application data.
If Mitigated
With proper authentication controls and network segmentation, impact would be limited to the specific compromised pod, but secrets exposure would still require rotation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in a core filtering function that processes user input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.30.4
Vendor Advisory: https://github.com/Budibase/budibase/security/advisories/GHSA-rvhr-26g4-p2r8
Restart Required: Yes
Instructions:
1. Update Budibase Cloud deployment to version 3.30.4 or later. 2. Restart all affected services. 3. Rotate all exposed secrets (INTERNAL_API_KEY, JWT_SECRET, CouchDB credentials, AWS keys). 4. Verify the fix by checking that eval() is no longer used with user input in view filtering.
🔧 Temporary Workarounds
Disable view filtering functionality
allTemporarily disable the vulnerable view filtering feature until patching can be completed
Requires application configuration changes - consult Budibase documentation for feature toggles
🧯 If You Can't Patch
- Immediately rotate all environment variables and secrets exposed in the app-service pod
- Implement strict network segmentation to limit database access and monitor for unusual database queries
🔍 How to Verify
Check if Vulnerable:
Check if running Budibase Cloud version earlier than 3.30.4. Review code in packages/server/src/db/inMemoryView.ts for unsafe eval() usage with user input.Check Version:
Check Budibase version in application settings or via API endpoint /api/versionVerify Fix Applied:
Verify version is 3.30.4 or later. Confirm that the commit 348659810cf930dda5f669e782706594c547115d is applied, which replaces eval() with safe alternatives.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution patterns in server logs
- Multiple failed or unusual view filtering requests
- Unexpected database access patterns from app-service
Network Indicators:
- Unusual outbound connections from app-service pods
- Database queries from unexpected sources
SIEM Query:
source="budibase-logs" AND ("eval" OR "inMemoryView" OR "view filtering") AND status="200"