{"uuid": "e5efcc02-4e2d-422b-b4d3-de19c9c20e4f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-QQF5-X7MJ-V43P", "type": "seen", "source": "https://gist.github.com/alon710/61d74af534dcdd96aec9286f239a170e", "content": "# GHSA-QQF5-X7MJ-V43P: GHSA-QQF5-X7MJ-V43P: SQL Injection Vulnerabilities in Budibase Database Connectors\n\n> **CVSS Score:** 8.4\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-QQF5-X7MJ-V43P\n\n## Summary\nA technical analysis of SQL injection vulnerabilities affecting Budibase's database connectors for PostgreSQL, Microsoft SQL Server, and MySQL. Due to direct concatenation of schema and table identifiers into raw SQL queries, authenticated administrative users or malicious database schemas can execute arbitrary SQL commands.\n\n## TL;DR\nBudibase database connectors contain SQL injection vulnerabilities in PostgreSQL, MS SQL, and MySQL integrations due to dynamic concatenation of unescaped schema and table identifiers, allowing authenticated administrators or malicious database catalogs to execute arbitrary SQL commands.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-89\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 8.4 (High)\n- **Exploit Status**: PoC (Proof of Concept)\n- **Impact**: Data Exfiltration, Arbitrary DDL/DML, and OS command execution\n- **Affected Components**: PostgreSQL, MS SQL, and MySQL Database Connectors\n\n## Affected Systems\n\n- Budibase Low-Code Platform PostgreSQL Connector\n- Budibase Low-Code Platform MS SQL Connector\n- Budibase Low-Code Platform MySQL Connector\n\n## Mitigation\n\n- Upgrade Budibase to version 3.39.19 or higher\n- Apply the database principle of least privilege for connection users\n- Disable xp_cmdshell on Microsoft SQL Server databases\n- Restrict Budibase administrative permissions to trusted personnel\n\n**Remediation Steps:**\n1. Identify all active Budibase installations running versions below 3.39.19\n2. Pull the patched Docker image using 'docker pull budibase/budibase:3.39.19' or update via your deployment manager\n3. Restart the Budibase containers to apply the update\n4. Review database connection configurations to ensure they use low-privilege database roles\n\n## References\n\n- [GitHub Security Advisory GHSA-QQF5-X7MJ-V43P](https://github.com/advisories/GHSA-QQF5-X7MJ-V43P)\n- [Budibase Project Repository](https://github.com/Budibase/budibase)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-QQF5-X7MJ-V43P) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T19:42:11.000000Z"}