Skip to main content

Budibase CVE-2026-35216

| EUVD-2026-18795 CRITICAL
OS Command Injection (CWE-78)
2026-04-03 GitHub_M GHSA-fcm4-4pj2-m5hf
RCE Command Injection Budibase
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 04, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Apr 03, 2026 - 16:00 euvd
EUVD-2026-18795
Analysis Generated
Apr 03, 2026 - 16:00 vuln.today
CVE Published
Apr 03, 2026 - 15:45 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.

AnalysisAI

Remote code execution in Budibase versions prior to 3.33.4 allows unauthenticated attackers to execute arbitrary Bash commands with root privileges inside the application container by exploiting public webhook endpoints that trigger automation workflows. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78) and requires no authentication, though the CVSS complexity is rated high (AC:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send HTTP request to public webhook endpoint
Exploit
Trigger automation with Bash step
Execution
Execute arbitrary bash commands
Impact
Achieve RCE as root user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires Budibase versions prior to 3.33.4 with automation containing a Bash step exposed via public webhook endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents critical real-world risk despite the AC:H (high complexity) rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker discovers a Budibase instance with exposed webhook endpoints by scanning for the platform's characteristic API paths. The attacker identifies an automation workflow that includes a Bash execution step, either through endpoint enumeration or by creating a test webhook if the platform allows anonymous workflow creation. …
Remediation Upgrade immediately to Budibase version 3.33.4 or later, which contains the security patch addressing the unauthenticated RCE vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Budibase deployments and verify versions-immediately isolate any running versions prior to 3.33.4 from untrusted networks or disable public webhook endpoints if version confirmation is incomplete. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35216 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy