CVE-2026-25041
Received Received - Intake
Command Injection in Budibase PostgreSQL Integration via Unsanitized Inputs

Publication date: 2026-03-09

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25041
EUVD
EUVD-2026-10352
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.23.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25041 is a critical command injection vulnerability in the PostgreSQL integration of Budibase versions 3.23.22 and earlier. The vulnerability occurs because the integration constructs shell commands for the pg_dump utility by directly interpolating user-controlled configuration values such as database name, host, password, and other connection parameters into a shell command string without proper sanitization or escaping.'}, {'type': 'paragraph', 'content': 'This unsafe construction allows an attacker who can control or inject these configuration values to execute arbitrary shell commands on the system running Budibase, potentially leading to remote code execution and system compromise.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from using shell commands like: PGPASSWORD="password" pg_dump --schema-only "..." where the password and other parameters are embedded directly, enabling injection of malicious commands.'}] [3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including remote code execution on the server hosting Budibase, unauthorized system access, data exfiltration, and full system compromise.'}, {'type': 'paragraph', 'content': 'An attacker exploiting this vulnerability could run arbitrary shell commands by injecting malicious input into database configuration parameters, potentially deleting files, stealing sensitive data, or installing malware.'}, {'type': 'paragraph', 'content': "Because the vulnerability affects the PostgreSQL integration's handling of shell commands, it poses a high risk especially in environments where attackers can influence database connection settings."}] [3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unsafe construction of shell commands using user-controlled PostgreSQL configuration values without proper sanitization, leading to potential shell injection.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check if your Budibase installation is version 3.23.22 or earlier and if it uses the PostgreSQL integration that constructs shell commands with unsanitized inputs.'}, {'type': 'paragraph', 'content': 'Since the vulnerable code executes shell commands like pg_dump with interpolated parameters, you can monitor for suspicious shell command executions involving pg_dump or unexpected environment variables such as PGPASSWORD being set in shell commands.'}, {'type': 'paragraph', 'content': 'You can also audit your Budibase source code or installation for the presence of the vulnerable pattern, for example by searching for shell command constructions that include database configuration values directly.'}, {'type': 'list_item', 'content': "Use command-line search to find vulnerable code patterns: `grep -r 'pg_dump' /path/to/budibase`"}, {'type': 'list_item', 'content': 'Monitor running processes for suspicious pg_dump executions: `ps aux | grep pg_dump`'}, {'type': 'list_item', 'content': "Check environment variables in running Budibase processes for PGPASSWORD usage: `cat /proc/<pid>/environ | tr '\\0' '\\n' | grep PGPASSWORD`"}, {'type': 'list_item', 'content': 'Review Budibase logs for any errors or unusual activity related to PostgreSQL integration or schema export features.'}] [3, 1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include disabling or removing the vulnerable external schema export functionality that relies on shelling out to pg_dump with unsanitized inputs.'}, {'type': 'paragraph', 'content': 'Update or patch your Budibase installation to a version where the external schema export endpoint and SQL troubleshooting UI have been removed, as these changes eliminate the attack vector.'}, {'type': 'paragraph', 'content': "Ensure that PostgreSQL integration does not construct shell commands by directly interpolating user-controlled configuration values. Instead, use safe methods such as Node.js's execFile with environment variables to handle sensitive data."}, {'type': 'paragraph', 'content': 'Validate and sanitize all database configuration inputs rigorously to prevent injection.'}, {'type': 'list_item', 'content': 'Remove or disable the `/api/datasources/:datasourceId/schema/external` endpoint if present.'}, {'type': 'list_item', 'content': 'Remove or disable the SQL troubleshooting UI components related to PostgreSQL.'}, {'type': 'list_item', 'content': 'Avoid using shell commands for database dumps; prefer native PostgreSQL client library methods.'}, {'type': 'list_item', 'content': 'If possible, upgrade Budibase to a version that includes the fix removing the vulnerable functionality.'}] [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart