GHSA-QQF5-X7MJ-V43P

GHSA-QQF5-X7MJ-V43P is a high-severity SQL injection vulnerability in budibase (npm), affecting versions < 3.39.19. It is fixed in 3.39.19.

Summary

This advisory covers three distinct SQL Injection vulnerabilities within Budibase's database connectors (PostgreSQL, Microsoft SQL Server, and MySQL). Because user-controlled schema and table configurations are interpolated directly into raw SQL queries without proper escaping or parameterization during database introspection, an authenticated administrator can break out of string delimiters. This allows for arbitrary DDL/DML execution, database compromise, and potential underlying OS command execution (e.g., via MS SQL xp_cmdshell).

Details

Vulnerability Type & Title

PostgreSQL SET search_path SQL Injection

Description & Root Cause

The schema datasource config field is interpolated directly into a raw SQL statement without proper escaping. Double quotes inside the schema name are not escaped, allowing an attacker to break out of the string literal and inject arbitrary SQL.

Vulnerable Code:
File: packages/server/src/integrations/postgres.ts, lines 355–358

const search_path = this.config.schema
  .split(",")
  .map(item => `"${item.trim()}"`)                // NO escaping of embedded "
await this.client.query(`SET search_path TO ${search_path.join(",")};`)

node-postgres sends this via the simple query protocol, which supports multi-statement execution with semicolons.

Step-by-Step Reproduction

  1. Edit a PostgreSQL datasource configuration.
  2. Set the schema field to:
    public"; CREATE TABLE pwned AS SELECT usename, passwd FROM pg_shadow; --
  3. Save or trigger a connection test.
  4. The query executes as:
    SET search_path TO "public"; CREATE TABLE pwned AS SELECT usename, passwd FROM pg_shadow; --;
  5. PostgreSQL executes both statements.

Vulnerability Type & Title

Microsoft SQL Server Schema Introspection SQL Injection

Description & Root Cause

Three methods used during schema introspection (buildSchema) interpolate user-controlled values directly into SQL strings using single-quote delimiters with no escaping.

Vulnerable Code:
File: packages/server/src/integrations/microsoftSqlServer.ts, lines 388–414

getDefinitionSQL(tableName: string, schemaName: string) {
  return `select * from INFORMATION_SCHEMA.COLUMNS
          where TABLE_NAME='${tableName}' AND TABLE_SCHEMA='${schemaName}'`
}

schemaName comes directly from this.config.schema (user config).

Step-by-Step Reproduction

  1. Edit an MS SQL Server datasource configuration.
  2. Set the schema field to: dbo'; EXEC xp_cmdshell('whoami'); --
  3. Trigger schema introspection (fetch tables).
  4. The OS command executes on the SQL server if xp_cmdshell is enabled.

Impact

  • Arbitrary SQL execution, potentially leading to OS command execution via xp_cmdshell.

Vulnerability Type & Title

MySQL multipleStatements: true + DESCRIBE Backtick Injection

Description & Root Cause

The MySQL integration enables multipleStatements: true, allowing semicolon-separated multi-statement execution. When introspecting tables, table names are interpolated into a DESCRIBE query wrapped in backticks, but the backticks are not escaped.

Vulnerable Code:
File: packages/server/src/integrations/mysql.ts, lines 172, 305

this.config = { ...config, multipleStatements: true, ... }  // line 172
...
{ sql: `DESCRIBE \`${tableName}\`;` }  // line 305, backtick NOT escaped

Step-by-Step Reproduction

  1. An attacker (or malicious database user) creates a table named foo`; DROP TABLE users; --.
  2. In Budibase, an admin triggers schema introspection for the database.
  3. Budibase reads the malicious table name from INFORMATION_SCHEMA.TABLES and inserts it into the DESCRIBE query.
  4. The backtick breaks out, and the secondary DROP TABLE payload executes.

Impact

  • Arbitrary SQL execution triggered during schema discovery. Requires prior database catalog manipulation.

Impact

  • Full database compromise. The attacker can read pg_shadow hashes, call pg_read_file(), or execute any DDL/DML.

Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.

GHSA-QQF5-X7MJ-V43P has a CVSS score of 8.4 (High). The vector is network-reachable, high privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.39.19); upgrading removes the vulnerable code path.

Affected versions

budibase (< 3.39.19)

Security releases

budibase → 3.39.19 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade budibase to 3.39.19 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-QQF5-X7MJ-V43P? GHSA-QQF5-X7MJ-V43P is a high-severity SQL injection vulnerability in budibase (npm), affecting versions < 3.39.19. It is fixed in 3.39.19. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
  2. How severe is GHSA-QQF5-X7MJ-V43P? GHSA-QQF5-X7MJ-V43P has a CVSS score of 8.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of budibase are affected by GHSA-QQF5-X7MJ-V43P? budibase (npm) versions < 3.39.19 is affected.
  4. Is there a fix for GHSA-QQF5-X7MJ-V43P? Yes. GHSA-QQF5-X7MJ-V43P is fixed in 3.39.19. Upgrade to this version or later.
  5. Is GHSA-QQF5-X7MJ-V43P exploitable, and should I be worried? Whether GHSA-QQF5-X7MJ-V43P is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-QQF5-X7MJ-V43P is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-QQF5-X7MJ-V43P? Upgrade budibase to 3.39.19 or later.

Other vulnerabilities in budibase

CVE-2026-46426CVE-2026-45718CVE-2026-45061CVE-2026-33226CVE-2026-27702

Stop the waste.
Protect your environment with Kodem.