CVE-2026-27702
Published: 25 February 2026
Summary
CVE-2026-27702 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Budibase Budibase. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of flaws like the unsafe eval() vulnerability fixed in Budibase version 3.30.4.
Mandates validation of user-controlled inputs such as view map functions prior to dynamic evaluation, directly preventing arbitrary JavaScript code injection.
Ensures external SaaS providers like Budibase Cloud implement secure practices, including input sanitization and patching, to mitigate vulnerabilities unique to cloud deployments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unsafe eval() enables direct server-side JS code execution (T1059.007) via exploitation of a public-facing SaaS app (T1190). Scope change from low-priv auth to full server access maps to privilege escalation (T1068). Explicit extraction of env secrets enables unsecured credentials access (T1552), and resulting CouchDB access enables data collection from databases (T1213.006).
NVD Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code…
more
on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch.
Deeper analysisAI
CVE-2026-27702 is an unsafe `eval()` vulnerability in Budibase, a low-code platform for building internal tools, workflows, and admin panels. It affects Budibase Cloud (SaaS) deployments prior to version 3.30.4, specifically in the `packages/server/src/db/inMemoryView.ts` file, where user-controlled view map functions are directly evaluated without sanitization. Self-hosted deployments are unaffected, as they use native CouchDB views.
Any authenticated user, including those on free tier accounts, can exploit this vulnerability remotely with low complexity to execute arbitrary JavaScript code on the server. The `app-service` pod environment contains sensitive secrets such as `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, and AWS keys. Attackers can extract CouchDB credentials to gain direct database access, enumerate all tenant databases, and read user records including email addresses. The vulnerability has a CVSS v3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L) and is associated with CWE-20 (Improper Input Validation), CWE-94 (Code Injection), and CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code).
Budibase addressed the issue in version 3.30.4 with a patch that prevents the unsafe evaluation of user-controlled code. Official advisories and resources, including the GitHub security advisory (GHSA-rvhr-26g4-p2r8), pull request #18087, commit 348659810cf930dda5f669e782706594c547115d, and the release notes for v3.30.4, detail the fix and recommend upgrading immediately for Cloud users.
Details
- CWE(s)