An authenticated remote code execution vulnerability in Budibase Cloud allows users to compromise the server environment and extract highly sensitive administrative credentials.

This flaw involves an unsafe eval() call within the inMemoryView.ts component where user-controlled input is processed without sanitization. Any authenticated user, including those on free tier accounts, can trigger this to execute arbitrary code with the privileges of the application service.

A successful exploit grants an attacker access to the pod's environment variables, which include critical secrets such as INTERNAL_API_KEY, JWT_SECRET, and AWS keys. This leads to total database compromise, the ability to enumerate all tenant databases, and unauthorized access to sensitive user records and email addresses. With a CVSS score of 9.9, this represents a critical risk to data confidentiality and platform integrity.

Immediate Action: Budibase Cloud users must ensure they are using version 3.30.4 or later; as this is a SaaS product, confirm with the vendor that the patch is applied.

Proactive Monitoring: Security teams should review access logs for unusual view filtering activity and rotate any credentials or API keys that may have been exposed in the environment.

Compensating Controls: Implement strict egress filtering on the application environment to prevent the exfiltration of environment variables to external attacker-controlled servers.

Public Exploit Available: false

The severity of this RCE vulnerability cannot be overstated, as it exposes the foundational secrets of the Budibase Cloud infrastructure. Organizations must verify that their instances are running the patched version and immediately rotate all administrative secrets to mitigate the risk of persistent access by a malicious actor.