Security researchers recently publicized a report of an alleged vulnerability in Bubble that they claim allows running arbitrary queries against Elasticsearch databases.

We take our users’ data security very seriously, and want to correct its significant inaccuracies.

The most important aspect to clarify is that the technique described in this report does not allow unauthorized access to user data in any Bubble-created application that has properly configured privacy rules. As we state in our Documentation, as well as our educational materials, privacy rules are an essential part of your app’s security. Any database data that is private or sensitive needs to be protected with privacy rules to be considered secure. We offer a number of tools to help users properly secure their app, including our Flusk security suite, as well as in-editor warnings if users attempt to deploy an app without privacy rules configured.

We strongly urge all users concerned about this report to audit their privacy rules, including running Flusk on their applications, to ensure that they are properly protected. We want to be clear that any attempts to bypass properly configured privacy rules to access non-public data are prohibited by our Terms.

Bubble is built to host all different kinds of applications, which themselves host a range of public and private data. As explained in our security documentation, Bubble operates on a shared responsibility model: We provide the platform and tools, while application builders are responsible for implementing appropriate privacy rules for their specific use cases. It is not a platform vulnerability that data not secured by privacy rules is accessible, since many users deliberately host public data on our platform.

Another clarification: The technique described in this report does not allow arbitrary execution of Elasticsearch queries, as claimed. The security researchers have reverse-engineered the internal API we use to let Bubble-hosted webpages request data from our servers. This API is designed to be secure: It authenticates users and prevents accessing data that they ought not have access to as defined in the application’s privacy rules, and it properly transforms all queries to protect against injection attacks. In fact, this API is not even powered by Elasticsearch, so the claim that it allows arbitrary Elasticsearch queries has no basis in fact.

Like many modern websites, Bubble-built applications run large amounts of JavaScript code in user web browsers and communicate with their servers via APIs. Any JavaScript sent to the client, and any API calls made by the client, are inherently public, and reverse-engineerable. While we do not publish many of the implementation details of how Bubble apps work, we expect that anything in the web browser could be investigated by end users, and design our security posture accordingly.

If you have any concerns about building safely on Bubble, we are happy to help — please reach out to us and we can give you more guidance on the tools you can use to properly secure your application.

The Bubble Team

Important Update 1:30pm EDT

The original post was deleted by the author and they have posted this follow up:

Hello,

We’ve removed the post on the Bubble zero day. The purpose of the post was to draw attention to the issue — which was indeed addressed.

As a recap, 2 researchers published a paper on Bubble-dot-io and how to exploit it. Bubble ignored them. We were requested to relay the issue loudly so it was addressed. It was addressed. Bubble asserts they do not consider this an exploit because this is the result of users failing to RTM and follow the Bubble security guidelines.

I will personally take the L that it was a stretch to classify this as zero day when this is the result of users not following the Bubble best practices guide. It does not impact Bubble in totality.

Thanks for this reply from the team. I’m not afraid for security from Bubble itself. In most case, issues are linked to privacy rules not set correctly (or not set at all). However, there’s one case that security can be improved is the fileupload endpoint (Even for larger file). But theses endpoints need to remain available, but they could request the Bubble admin API key.

Also, I did a lot of reverse engineering on Bubble to understand how this work, how security work and what else we can do with what Bubble allow. An example is to create a more advanced files manager that what Bubble actually allow. For me, there’s no security issue with that as the endpoint is secure and request authorization.

If anyone wants the TLDR, it’s the same thing you’ve all heard before on the forum and in the docs:

Privacy rules are the only thing that restrict data access in your Bubble apps, and correctly configured privacy rules will effectively restrict data access.

The pentesters disclosing a vulnerability (it’s not a vulnerability) are essentially saying that users can access data they are permitted to access… a non issue

Thanks for the post, Fede.

btw

CleanShot 2025-04-18 at 18.41.17@2x1226×998 115 KB

Thanks @fede.bubble for replying. Actually I have read the post itself and I am not concerned by it. It says that they can access data in applications where privacy rules has not restricted access to so that’s not a zero day or whatever it’s called. Settings privacy rules and securing the app is definetly the app builders responsability.

Love the speed that this was addressed at publicly, big W for the bubble team.

And props to @georgecollier who was all over it on X from the get-go!

jfc i was so annoyed and i don’t even work for bubble. even if they didn’t know anything about bubble, surely they could’ve worked out there were server-side privacy policies in place…

It is what it is.

The “security paper” from two no-name “researchers” that don’t have public profiles read like a bunch of chatGPT’d prose. Wouldn’t be surprised if this was a psyop from a competitor.

I guessed it was an ex-user that is still upset about something.

I was literally going to edit “or an angry ex-user” but I was too lazy to.

Please, dark mode…

Also kudos to Bubble for quietly solving 2 very long-standing security issues somewhat recently.