A critical injection vulnerability in Budibase versions prior to 3.39.12 allows unauthenticated attackers to bypass security controls and perform unauthorized read/write operations on backend databases.

The application fails to properly sanitize JSON metacharacters within query parameters, enabling an unauthenticated attacker to manipulate query filters. This allows for unauthorized data exfiltration or modification across various connected databases, including MongoDB, CouchDB, and Elasticsearch.

Successful exploitation of this vulnerability poses a severe threat to data confidentiality and integrity. With a CVSS score of 10.0, this flaw allows an attacker to bypass all authentication and potentially gain full access to the underlying data stores used by published applications. This could result in the total compromise of sensitive business information, unauthorized modification of production data, and potential regulatory non-compliance.

Immediate Action: Upgrade all instances of Budibase to version 3.39.12 or higher immediately.

Proactive Monitoring: Review application and database access logs for unusual query patterns or unexpected mass-read/write operations originating from public-facing endpoints.

Compensating Controls: Implement strict Web Application Firewall (WAF) rules to filter and block requests containing suspicious JSON syntax or unexpected parameter structures, though this should be considered a temporary measure until patching is complete.

Public Exploit Available: No

Given the critical severity of this vulnerability and the ease of exploitation by unauthenticated actors, immediate remediation is required. Organizations should prioritize updating to the patched version of Budibase and conduct a thorough audit of database access logs to ensure no unauthorized activity has already occurred.