Budibase unsafe eval RCE (CVE-2026-27702)

Patch now - CVE-2026-27702 is a critical remote code execution vulnerability in Budibase Cloud prior to version 3.30.4 that grants authenticated attackers full server control and the ability to steal system secrets, including database admin credentials and internal API keys.

Overview

A critical security vulnerability in Budibase Cloud (SaaS) allows authenticated users to execute arbitrary code on the server. This flaw could lead to a complete compromise of the application environment and sensitive data.

Vulnerability Details

Budibase is a low-code platform for building internal tools. In versions prior to 3.30.4, a feature for filtering data views used an unsafe eval() function to process user input. This meant any authenticated user, including those on free accounts, could inject and run malicious JavaScript code directly on the Budibase server. The vulnerability is located in the file packages/server/src/db/inMemoryView.ts.

Important Note: This vulnerability only affects Budibase Cloud, the hosted Software-as-a-Service offering. Self-hosted Budibase deployments use a different technical approach and are not vulnerable.

Potential Impact

The impact of this vulnerability is severe. The compromised server pod contains critical environment variables with secrets like:

• Internal API keys
• JWT secrets for authentication
• Full CouchDB database administrator credentials
• AWS access keys

An attacker could use this code execution to steal these secrets. With the CouchDB credentials, they could directly access the backend database, enumerate all customer data, and exfiltrate sensitive information such as user email addresses and application data. This constitutes a full breach of the application’s security boundary.

Remediation and Mitigation

Immediate action is required for users of Budibase Cloud.

1. Patch Immediately: The vendor has released a fix in Budibase version 3.30.4. Budibase Cloud has been patched by the vendor. If you are a Cloud customer, no action is needed on your part - the service has been updated.
2. For Self-Hosted Users: If you operate a self-hosted Budibase instance, you are not affected by this specific vulnerability. However, always ensure you are running the latest stable version for other security and stability improvements.
3. General Security Hygiene: As a best practice, organizations should review access logs for any unusual activity from the period before the patch was applied. Rotating internal secrets (like JWT_SECRET or API keys) is a recommended step after any potential security incident, though the patched code prevents new exploitation.

Summary

This critical vulnerability in Budibase Cloud allowed user-controlled code execution on the server, risking exposure of all system secrets and data. The SaaS platform has been patched to version 3.30.4. Self-hosted deployments were not vulnerable. Users should confirm their service is updated and consider proactive secret rotation as a precaution.