Which versions of Budibase are affected by CVE-2026-25044?

Budibase versions before 3.33.4 contain a remote code execution vulnerability allowing authenticated users with automation privileges to execute arbitrary system commands, potentially compromising…. A patch is available.

How to fix or mitigate CVE-2026-25044?

24 hours: Inventory all Budibase deployments and identify instances running versions prior to 3.33.4; document users with automation step privileges. 7 days: Upgrade all Budibase instances to version 3.33.4 or later; if upgrade is not immediately feasible, restrict automation step access to trusted administrator accounts only and disable bash automation steps where possible. 30 days: Conduct access review of all users with automation privileges; enable audit logging for automation step creation and execution; establish change control process for automation feature modifications.

Budibase CVE-2026-25044

Q: What is the CVSS score of CVE-2026-25044?

CVE-2026-25044 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-18754 HIGH

OS Command Injection (CWE-78)

2026-04-03 GitHub_M

GHSA-gjw9-34gf-rp6m

Command Injection Budibase

8.7

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Apr 04, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 03, 2026 - 16:00 euvd

EUVD-2026-18754

Analysis Generated

Apr 03, 2026 - 16:00 vuln.today

CVE Published

Apr 03, 2026 - 15:38 nvd

HIGH 8.7

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4.

AnalysisAI

Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute arbitrary system commands through the bash automation step feature. The vulnerability stems from unsanitized user input processed via template interpolation in execSync calls, allowing command injection with low attack complexity. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Budibase platform

Delivery

Create automation with bash step

Exploit

Inject command via template interpolation

Execution

Execute arbitrary commands via execSync

Impact

Compromise system with application privileges