Platform
nodejs
Component
budibase
Fixed in
3.30.5
3.30.4
CVE-2026-27702 represents a critical Remote Code Execution (RCE) vulnerability discovered in Budibase Cloud. This flaw allows authenticated users, including those on free tier accounts, to execute arbitrary JavaScript code on the server, potentially leading to complete system compromise. The vulnerability specifically impacts Budibase Cloud (SaaS) deployments; self-hosted instances are not affected. A fix is available in version 3.30.4.
The impact of CVE-2026-27702 is severe due to the potential for complete server takeover. An attacker exploiting this vulnerability could execute arbitrary code within the Budibase Cloud environment, gaining access to sensitive data, modifying application configurations, and potentially pivoting to other systems within the network. The app-service pod, where this vulnerability resides, has access to a wide range of resources, significantly expanding the attack surface. This vulnerability mirrors the danger of unchecked user input leading to code execution, similar to scenarios where unsanitized data is used in JavaScript eval() functions.
CVE-2026-27702 was publicly disclosed on 2026-02-25. The vulnerability's ease of exploitation and the high potential impact suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (PoC) code is anticipated to emerge, further increasing the risk. No active exploitation campaigns have been confirmed at the time of this writing, but the vulnerability has been added to the CISA KEV catalog.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27702 is to immediately upgrade Budibase Cloud to version 3.30.4 or later. For those unable to upgrade immediately, consider implementing stricter access controls to limit the number of authenticated users with potential access to view filtering functionality. While a direct WAF rule is difficult to implement due to the nature of the vulnerability, monitoring for unusual JavaScript execution patterns within the Budibase Cloud environment can provide early detection. After upgrading, verify the fix by attempting to create a view with a malicious map function and confirming that it is properly sanitized and does not result in code execution.
Update Budibase Cloud to version 3.30.4 or higher. This version contains a fix for the remote code execution vulnerability. The update will mitigate the risk of authenticated users executing arbitrary JavaScript code on the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27702 is a critical Remote Code Execution vulnerability in Budibase Cloud allowing authenticated users to execute arbitrary JavaScript code on the server. It affects versions before 3.30.4.
If you are using Budibase Cloud (SaaS) and have not upgraded to version 3.30.4 or later, you are vulnerable. Self-hosted Budibase deployments are not affected.
Upgrade Budibase Cloud to version 3.30.4 or later. Consider implementing stricter access controls as a temporary mitigation.
No active exploitation campaigns have been confirmed, but the vulnerability's severity and ease of exploitation suggest a potential risk.
Refer to the official Budibase security advisory on their website for detailed information and updates: [https://budibase.com/security/advisories](https://budibase.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.