CVE-2026-35178
Remote Code Execution in Workbench via Unsafe Cookie Handling
Publication date: 2026-04-06
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| forceworkbench | forceworkbench | to 65.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-35178 is a critical remote code execution vulnerability that allows unauthorized code execution through unsafe processing of attacker-controlled cookie values. This vulnerability can lead to high impacts on confidentiality and integrity, including unauthorized data disclosure and modification.
Such impacts on confidentiality and integrity can potentially affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access or alteration.
However, the provided information does not explicitly mention any direct effects or assessments related to compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from unsafe processing of attacker-controlled cookie values in the timezone conversion flow of forceworkbench versions prior to 65.0.0. Detection involves identifying if your system is running a vulnerable version of forceworkbench (up to 53.0.0) and checking for suspicious or malformed cookie values that could trigger remote code execution.
Since the vulnerability is related to PHP code injection via cookies, you can inspect HTTP requests for unusual or suspicious cookie values that might contain code injection payloads.
Suggested commands to detect the vulnerable version and suspicious activity include:
- Check the installed forceworkbench version by reviewing the application version or release notes.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP traffic and filter for suspicious cookies.
- Example command to capture HTTP traffic on port 80 or 443: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep 'Cookie'
- Search web server logs for requests containing suspicious cookie values or unusual parameters.
- Use grep to find references to create_function() in the codebase, which is deprecated and related to the vulnerability: grep -r 'create_function' /path/to/forceworkbench
Note that no specific detection scripts or signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The only effective mitigation for this critical remote code execution vulnerability is to upgrade forceworkbench to version 65.0.0 or later, where the vulnerability has been fixed.
This upgrade replaces the unsafe use of the deprecated PHP function create_function() with anonymous closures and adds input validation for cookie-based configuration values, eliminating the code injection risk.
No workarounds exist to mitigate this vulnerability without upgrading.
- Immediately plan and perform an upgrade of forceworkbench to version 65.0.0 or newer.
- Review and apply any related security patches or updates provided by the forceworkbench maintainers.
- After upgrading, verify that the application no longer uses create_function() and that input validation is in place.
- Monitor logs and network traffic for any suspicious activity during and after the upgrade.
Can you explain this vulnerability to me?
CVE-2026-35178 is a critical remote code execution (RCE) vulnerability in the Salesforce Workbench tool, specifically in the timezone conversion process. The vulnerability arises because attacker-controlled cookie values are processed insecurely, allowing malicious input to be executed as code. This is due to the use of the deprecated PHP function create_function(), which enables code injection. An attacker can exploit this flaw remotely without any privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized disclosure and modification of data. Since it allows remote code execution, an attacker can run arbitrary code on the affected system, potentially compromising confidentiality and integrity of data. However, it does not impact system availability. The vulnerability can be exploited remotely with low complexity and no privileges required, making it highly dangerous.