EUVD-2026-18795
GHSA-fcm4-4pj2-m5hf
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.
Analysis
Remote code execution in Budibase versions prior to 3.33.4 allows unauthenticated attackers to execute arbitrary Bash commands with root privileges inside the application container by exploiting public webhook endpoints that trigger automation workflows. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78) and requires no authentication, though the CVSS complexity is rated high (AC:H). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Budibase deployments and verify versions-immediately isolate any running versions prior to 3.33.4 from untrusted networks or disable public webhook endpoints if version confirmation is incomplete. Within 7 days: Upgrade all Budibase instances to version 3.33.4 or later once vendor releases patched version (confirm availability with vendor); if upgrade cannot be completed, implement network segmentation limiting webhook endpoint access to trusted internal IPs only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today