GHSA-QQF5-X7MJ-V43P: SQL Injection Vulnerabilities in Budibase Database Connectors
Vulnerability ID: GHSA-QQF5-X7MJ-V43P
CVSS Score: 8.4
Published: 2026-06-18
A technical analysis of SQL injection vulnerabilities affecting Budibase's database connectors for PostgreSQL, Microsoft SQL Server, and MySQL. Due to direct concatenation of schema and table identifiers into raw SQL queries, authenticated administrative users or malicious database schemas can execute arbitrary SQL commands.
TL;DR
Budibase database connectors contain SQL injection vulnerabilities in PostgreSQL, MS SQL, and MySQL integrations due to dynamic concatenation of unescaped schema and table identifiers, allowing authenticated administrators or malicious database catalogs to execute arbitrary SQL commands.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-89
- Attack Vector: Network (AV:N)
- CVSS v3.1: 8.4 (High)
- Exploit Status: PoC (Proof of Concept)
- Impact: Data Exfiltration, Arbitrary DDL/DML, and OS command execution
- Affected Components: PostgreSQL, MS SQL, and MySQL Database Connectors
Affected Systems
- Budibase Low-Code Platform PostgreSQL Connector
- Budibase Low-Code Platform MS SQL Connector
- Budibase Low-Code Platform MySQL Connector
Mitigation Strategies
- Upgrade Budibase to version 3.39.19 or higher
- Apply the database principle of least privilege for connection users
- Disable xp_cmdshell on Microsoft SQL Server databases
- Restrict Budibase administrative permissions to trusted personnel
Remediation Steps:
- Identify all active Budibase installations running versions below 3.39.19
- Pull the patched Docker image using 'docker pull budibase/budibase:3.39.19' or update via your deployment manager
- Restart the Budibase containers to apply the update
- Review database connection configurations to ensure they use low-privilege database roles
References
Read the full report for GHSA-QQF5-X7MJ-V43P on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)