CVE-2026-25041
Command Injection in Budibase PostgreSQL Integration via Unsanitized Inputs
Publication date: 2026-03-09
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.23.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unsafe construction of shell commands using user-controlled PostgreSQL configuration values without proper sanitization, leading to potential shell injection.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check if your Budibase installation is version 3.23.22 or earlier and if it uses the PostgreSQL integration that constructs shell commands with unsanitized inputs.'}, {'type': 'paragraph', 'content': 'Since the vulnerable code executes shell commands like pg_dump with interpolated parameters, you can monitor for suspicious shell command executions involving pg_dump or unexpected environment variables such as PGPASSWORD being set in shell commands.'}, {'type': 'paragraph', 'content': 'You can also audit your Budibase source code or installation for the presence of the vulnerable pattern, for example by searching for shell command constructions that include database configuration values directly.'}, {'type': 'list_item', 'content': "Use command-line search to find vulnerable code patterns: `grep -r 'pg_dump' /path/to/budibase`"}, {'type': 'list_item', 'content': 'Monitor running processes for suspicious pg_dump executions: `ps aux | grep pg_dump`'}, {'type': 'list_item', 'content': "Check environment variables in running Budibase processes for PGPASSWORD usage: `cat /proc/<pid>/environ | tr '\\0' '\\n' | grep PGPASSWORD`"}, {'type': 'list_item', 'content': 'Review Budibase logs for any errors or unusual activity related to PostgreSQL integration or schema export features.'}] [3, 1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include disabling or removing the vulnerable external schema export functionality that relies on shelling out to pg_dump with unsanitized inputs.'}, {'type': 'paragraph', 'content': 'Update or patch your Budibase installation to a version where the external schema export endpoint and SQL troubleshooting UI have been removed, as these changes eliminate the attack vector.'}, {'type': 'paragraph', 'content': "Ensure that PostgreSQL integration does not construct shell commands by directly interpolating user-controlled configuration values. Instead, use safe methods such as Node.js's execFile with environment variables to handle sensitive data."}, {'type': 'paragraph', 'content': 'Validate and sanitize all database configuration inputs rigorously to prevent injection.'}, {'type': 'list_item', 'content': 'Remove or disable the `/api/datasources/:datasourceId/schema/external` endpoint if present.'}, {'type': 'list_item', 'content': 'Remove or disable the SQL troubleshooting UI components related to PostgreSQL.'}, {'type': 'list_item', 'content': 'Avoid using shell commands for database dumps; prefer native PostgreSQL client library methods.'}, {'type': 'list_item', 'content': 'If possible, upgrade Budibase to a version that includes the fix removing the vulnerable functionality.'}] [1, 3]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25041 is a critical command injection vulnerability in the PostgreSQL integration of Budibase versions 3.23.22 and earlier. The vulnerability occurs because the integration constructs shell commands for the pg_dump utility by directly interpolating user-controlled configuration values such as database name, host, password, and other connection parameters into a shell command string without proper sanitization or escaping.'}, {'type': 'paragraph', 'content': 'This unsafe construction allows an attacker who can control or inject these configuration values to execute arbitrary shell commands on the system running Budibase, potentially leading to remote code execution and system compromise.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from using shell commands like: PGPASSWORD="password" pg_dump --schema-only "..." where the password and other parameters are embedded directly, enabling injection of malicious commands.'}] [3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including remote code execution on the server hosting Budibase, unauthorized system access, data exfiltration, and full system compromise.'}, {'type': 'paragraph', 'content': 'An attacker exploiting this vulnerability could run arbitrary shell commands by injecting malicious input into database configuration parameters, potentially deleting files, stealing sensitive data, or installing malware.'}, {'type': 'paragraph', 'content': "Because the vulnerability affects the PostgreSQL integration's handling of shell commands, it poses a high risk especially in environments where attackers can influence database connection settings."}] [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know