CVE-2026-45719— Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45719
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
Source: NVD (National Vulnerability Database)
Vulnerability Description
Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP object defines the valid calculation types (sum, count, stats), no actual validation is performed against this map before the value is used in string interpolation. A user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried. This vulnerability is fixed in 3.38.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45719
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45719
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-45719 (1)
Other References for CVE-2026-45719 (1)
- 🔗 Release 3.38.1 · Budibase/budibase · GitHubx_refsource_MISC
Same Patch Batch · Budibase · 2026-05-27 · 20 CVEs total
| CVE-2026-46425 | 9.9 CRITICAL | Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users |
| CVE-2026-48150 | 9.0 CRITICAL | Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assi |
| CVE-2026-45716 | 8.8 HIGH | Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Con |
| CVE-2026-45717 | 8.8 HIGH | Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permissio |
| CVE-2026-48153 | 8.5 HIGH | Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata |
| CVE-2026-48149 | 8.1 HIGH | Budibase: Stored XSS in Text component: BASIC users execute JS in admin session via Markdo |
| CVE-2026-48152 | 8.1 HIGH | Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasour |
| CVE-2026-46427 | 7.7 HIGH | Budibase: Snowflake private key returned unmasked from datasource API to BASIC users |
| CVE-2026-45061 | 7.7 HIGH | Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`) |
| CVE-2026-48146 | 7.7 HIGH | Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection |
| CVE-2026-45548 | 7.7 HIGH | Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation |
| CVE-2026-45715 | 7.7 HIGH | Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration |
| CVE-2026-46426 | 7.6 HIGH | Budibase: Unrestricted Upload of File with Dangerous Type |
| CVE-2026-48151 | 7.5 HIGH | Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of |
| CVE-2026-48147 | 6.5 MEDIUM | Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection |
| CVE-2026-45718 | 5.4 MEDIUM | Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on |
| CVE-2026-46424 | 4.2 MEDIUM | Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users |
| CVE-2026-48128 | Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step | |
| CVE-2026-48148 | Budibase: Unvalidated VectorDB Host Parameter Enables SSRF |
IV. Related Vulnerabilities
Same product: budibase
- CVE-2026-48147
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypa - CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF - CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missin - CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource I - CVE-2026-45716
Budibase: Builder-to-Admin Privilege Escalation via onboardU
Same vendor: Budibase
- CVE-2026-48147
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypa - CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF - CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missin - CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource I - CVE-2026-45716
Budibase: Builder-to-Admin Privilege Escalation via onboardU
Same weakness: CWE-94
- CVE-2026-44887
Unauthenticated RCE via Python Config File Injection in Save - CVE-2026-44888
Unauthenticated RCE via Python Config File Injection in Save - CVE-2026-42879
FacturaScripts: Authenticated Remote Code Execution (RCE) vi - CVE-2026-6169
affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote - CVE-2026-8832
WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execut
V. Comments for CVE-2026-45719
No comments yet