Detect Budibase Anonymous NoSQL Operator Injection via Published-App Query Templates in Splunk
CVE-2026-54350 is a critical (CVSS 10.0) NoSQL operator injection vulnerability in @budibase/server versions prior to 3.39.12. Unauthenticated attackers can inject MongoDB-style operators (e.g., $gt, $where, $regex) into published-app query templates, bypassing authentication and data access controls. Successful exploitation can lead to full database exfiltration, authentication bypass, and remote code execution via $where clauses. A public PoC is available.
MITRE ATT&CK
SPL Detection Query
index=web OR index=proxy OR index=waf sourcetype IN ("access_combined", "nginx:access", "apache:access", "pan:traffic", "stream:http")
| eval url=coalesce(uri_path, cs-uri-stem, url, request_url)
| eval body=coalesce(request_body, form_data, postargs, cs-uri-query)
| where match(url, "/api/public/v1/queries|/api/v1/queries|/app/")
| eval nosql_hit=if(match(coalesce(body, url, ""), "\$(?:gt|gte|lt|lte|ne|in|nin|exists|where|regex|elemMatch|or|and|not|nor)"), 1, 0)
| where nosql_hit=1
| rex field=coalesce(body, url) max_match=10 "(?P<nosql_operator>\$(?:gt|gte|lt|lte|ne|in|nin|exists|where|regex|elemMatch|or|and|not|nor))"
| stats count as attempt_count, values(nosql_operator) as operators_seen, values(url) as paths_targeted, values(status) as http_statuses, dc(url) as unique_paths by src_ip, _time span=5m
| eval risk_level=case(
mvcount(operators_seen) > 3, "CRITICAL",
mvfind(operators_seen, "\$where") >= 0, "CRITICAL",
mvcount(operators_seen) >= 2, "HIGH",
1=1, "MEDIUM"
)
| eval success_indicator=if(mvfind(http_statuses, "200") >= 0, "POSSIBLE_SUCCESS", "ATTEMPTED")
| where attempt_count >= 1
| table _time, src_ip, attempt_count, operators_seen, paths_targeted, risk_level, success_indicator
| sort - risk_level, attempt_countDetects NoSQL operator injection attempts targeting Budibase query API endpoints. Parses HTTP request bodies and URLs for MongoDB operators, scores by operator diversity, and flags successful responses (HTTP 200) as high priority.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate MongoDB query syntax in internal API calls between Budibase microservices
- Authorized penetration testing or red team exercises against Budibase infrastructure
- API monitoring or synthetic transaction tools that exercise query endpoints with complex parameters
- Import/export operations involving JSON data that contains operator-like field names
Other platforms for CVE-2026-54350
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic NoSQL Operator Injection via Budibase Published Query API
Expected signal: HTTP POST request to /api/public/v1/queries/{id} with JSON body containing '$gt' operator visible in web proxy logs or network capture
- Test 2JavaScript Execution via $where NoSQL Operator (RCE Path)
Expected signal: HTTP POST with '$where' string in request body; potentially elevated response time if JavaScript executes; MongoDB slow query log entry if profiling enabled
- Test 3Authentication Bypass via $ne Operator on User Collection Query
Expected signal: POST request to Budibase query endpoint with $ne operators in both username and password fields; HTTP 200 response with user record(s) returned if vulnerable
- Test 4Data Exfiltration via $regex Operator Enumeration
Expected signal: Series of POST requests to same Budibase query endpoint with varying $regex patterns; observable as repeated requests with incrementing operator values in proxy logs
Unlock Pro Content
Get the full detection package for CVE-2026-54350 including response playbook, investigation guide, and atomic red team tests.