Skip to main content

Forceworkbench CVE-2026-35178

| EUVDEUVD-2026-19450 CRITICAL
Code Injection (CWE-94)
2026-04-06 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

8
Analysis Updated
Apr 16, 2026 - 05:46 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
65.0.0
Analysis Updated
Apr 16, 2026 - 04:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 04:33 vuln.today
cvss_changed
EUVD ID Assigned
Apr 06, 2026 - 19:30 euvd
EUVD-2026-19450
Analysis Generated
Apr 06, 2026 - 19:30 vuln.today
CVE Published
Apr 06, 2026 - 19:01 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0.

AnalysisAI

Remote code execution in Workbench (forceworkbench) versions prior to 65.0.0 allows network-based attackers to execute arbitrary code by exploiting unsafe processing of attacker-controlled cookie values during timezone conversion operations. The vulnerability requires user interaction (CVSS UI:P) but no authentication (PR:N), enabling compromise of both the vulnerable component and other system components (scope change: SC:H/SI:H). EPSS score of 0.51% (66th percentile) indicates moderate exploitation probability. No active exploitation confirmed in CISA KEV at time of analysis. Vendor-released patch available in version 65.0.0 with public GitHub advisory and fix PR.

Technical ContextAI

Workbench (forceworkbench) is an administrative and development toolkit for Salesforce.com Force.com API interactions. The vulnerability stems from CWE-94 (Improper Control of Generation of Code/Code Injection), where the timezone conversion functionality fails to sanitize cookie values before processing them in a code execution context. The CVSS vector indicates network attack vector (AV:N) with low complexity (AC:L), suggesting the timezone conversion feature accepts cookie input without proper validation or encoding. CPE identifier cpe:2.3:a:forceworkbench:forceworkbench confirms this is the open-source Workbench project. Cookie-based code injection typically occurs when server-side code evaluates, deserializes, or dynamically executes content from HTTP cookies without strict input validation, allowing attackers to inject malicious payloads that execute with application privileges.

RemediationAI

Upgrade to forceworkbench version 65.0.0 or later immediately. The fix is documented in GitHub pull request #869 (https://github.com/forceworkbench/forceworkbench/pull/869) and vendor security advisory GHSA-jw63-m86r-2jxc (https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc). For environments unable to upgrade immediately: disable timezone conversion functionality if operationally feasible (trade-off: users cannot convert timestamps between zones, may impact usability for global teams). Implement strict cookie input validation and sanitization before any processing (trade-off: requires code modification and testing, may break legitimate timezone data formats). Deploy web application firewall rules to inspect and block cookie values containing code injection patterns such as eval(), exec(), system calls, or serialization signatures (trade-off: potential false positives may disrupt legitimate usage, requires tuning). Restrict Workbench access to trusted internal networks only via IP allowlisting (trade-off: prevents remote administrative access, may conflict with distributed team workflows). All workarounds are temporary mitigations; upgrading to 65.0.0 remains the definitive remediation.

Share

CVE-2026-35178 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy