Budibase Anonymous NoSQL Operator Injection via Published-App Query Templates
CVE-2026-54350 is a critical (CVSS 10.0) NoSQL operator injection vulnerability in @budibase/server versions prior to 3.39.12. Unauthenticated attackers can inject MongoDB-style operators (e.g., $gt, $where, $regex) into published-app query templates, bypassing authentication and data access controls. Successful exploitation can lead to full database exfiltration, authentication bypass, and remote code execution via $where clauses. A public PoC is available.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- npm
- Product
- @budibase/server
- Versions
- < 3.39.12
Timeline
- Disclosed
- June 23, 2026
What is CVE-2026-54350 Budibase Anonymous NoSQL Operator Injection via Published-App Query Templates?
Budibase Anonymous NoSQL Operator Injection via Published-App Query Templates (CVE-2026-54350) maps to the Initial Access and Credential Access and Discovery and Collection tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Budibase Anonymous NoSQL Operator Injection via Published-App Query Templates, covering the data sources and telemetry it touches: CommonSecurityLog, AzureDiagnostics, WAF Logs, Reverse Proxy Logs. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let BudibaseHosts = dynamic([]);
let NoSQLOperators = dynamic(["$gt", "$gte", "$lt", "$lte", "$ne", "$in", "$nin", "$exists", "$where", "$regex", "$elemMatch", "$or", "$and", "$not", "$nor"]);
let lookback = 24h;
union isfuzzy=true
(
CommonSecurityLog
| where TimeGenerated >= ago(lookback)
| where DeviceProduct has_any ("nginx", "apache", "budibase")
| where RequestURL has "/api/public/v1/queries" or RequestURL has "/app/"
| where RequestContext has_any (NoSQLOperators) or AdditionalExtensions has_any (NoSQLOperators)
| extend InjectionOperator = extract(@"(\$(?:gt|gte|lt|lte|ne|in|nin|exists|where|regex|elemMatch|or|and|not|nor))", 1, coalesce(RequestContext, AdditionalExtensions))
| project TimeGenerated, SourceIP, RequestURL, RequestMethod, InjectionOperator, DeviceProduct
),
(
AzureDiagnostics
| where TimeGenerated >= ago(lookback)
| where Category == "ApplicationGatewayAccessLog"
| where requestUri_s has "/api/public/v1/queries" or requestUri_s has "/api/v1/queries"
| where requestQuery_s has_any (NoSQLOperators) or Message has_any (NoSQLOperators)
| extend InjectionOperator = extract(@"(\$(?:gt|gte|lt|lte|ne|in|nin|exists|where|regex|elemMatch|or|and|not|nor))", 1, coalesce(requestQuery_s, Message))
| project TimeGenerated, clientIP_s, requestUri_s, httpMethod_s, InjectionOperator
)
| summarize AttemptCount=count(), Operators=make_set(InjectionOperator), RequestPaths=make_set(coalesce(RequestURL, requestUri_s)) by SourceIP=coalesce(SourceIP, clientIP_s), bin(TimeGenerated, 5m)
| where AttemptCount >= 1
| extend RiskScore = case(Operators has "$where", "CRITICAL", array_length(Operators) >= 3, "HIGH", "MEDIUM")
| order by AttemptCount descDetects NoSQL operator injection attempts against Budibase published-app query endpoints by scanning HTTP request bodies and query strings for MongoDB operator keywords. Aggregates by source IP with a risk score based on operator diversity.
Data Sources
Required Tables
False Positives
- Legitimate application query parameters that coincidentally contain strings like '$gt' in field names or values
- Security scanners or vulnerability assessment tools performing authorized testing against Budibase instances
- Internal development or QA environments testing query functionality with MongoDB operators
- GraphQL or other API frameworks that use $ prefixed variables in request bodies
Sigma rule & cross-platform mapping
The detection logic for Budibase Anonymous NoSQL Operator Injection via Published-App Query Templates (CVE-2026-54350) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-54350
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic NoSQL Operator Injection via Budibase Published Query API
Expected signal: HTTP POST request to /api/public/v1/queries/{id} with JSON body containing '$gt' operator visible in web proxy logs or network capture
- Test 2JavaScript Execution via $where NoSQL Operator (RCE Path)
Expected signal: HTTP POST with '$where' string in request body; potentially elevated response time if JavaScript executes; MongoDB slow query log entry if profiling enabled
- Test 3Authentication Bypass via $ne Operator on User Collection Query
Expected signal: POST request to Budibase query endpoint with $ne operators in both username and password fields; HTTP 200 response with user record(s) returned if vulnerable
- Test 4Data Exfiltration via $regex Operator Enumeration
Expected signal: Series of POST requests to same Budibase query endpoint with varying $regex patterns; observable as repeated requests with incrementing operator values in proxy logs
Unlock Pro Content
Get the full detection package for CVE-2026-54350 including response playbook, investigation guide, and atomic red team tests.