Compliance Impact

CVE-2026-35216 allows unauthenticated remote code execution on self-hosted Budibase instances, enabling attackers to execute arbitrary commands as root inside the container.

This can lead to exfiltration of sensitive environment variables and credentials, unauthorized access to application data, and potential privilege escalation or container escape.

Such unauthorized access and data exposure can result in violations of data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches.

Therefore, this vulnerability poses a significant risk to compliance by potentially exposing sensitive data and compromising system integrity and availability.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35216 is a critical vulnerability in Budibase, an open-source low-code platform, that allows unauthenticated remote code execution (RCE) on the Budibase server. The issue arises from the Bash automation step, which executes shell commands using unsafe methods. Specifically, the vulnerable Bash step accepted user-supplied commands via a public webhook endpoint without authentication, and executed them as root inside the container using Node.js's execSync function. This allowed attackers to inject arbitrary shell commands by exploiting template variables in the Bash command input.

The vulnerability exists because the Bash step processed a command string with Handlebars template variables derived from the webhook request body, enabling attackers to craft malicious payloads that get executed on the server. The public webhook endpoint is exposed without authentication, so any attacker with network access can trigger this exploit.

The issue was fixed by replacing the unsafe execSync call with the safer execa library, which separates the command and its arguments and enforces strict validation and escaping to prevent command injection. The fix also rejects dynamic templating in the command field and requires arguments to be a JSON array of strings.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts on affected Budibase deployments, especially self-hosted instances using Bash automation steps triggered by webhooks. Because the exploit requires no authentication, an attacker can remotely execute arbitrary commands as root inside the container.

• Execute arbitrary OS commands with root privileges inside the container.
• Exfiltrate sensitive environment variables such as JWT secrets, API encryption keys, and database credentials.
• Pivot to internal services like CouchDB, Redis, and MinIO to further compromise the environment.
• Forge JWT tokens to impersonate users and escalate privileges.
• Potentially escape the container if it is privileged or has volume mounts, leading to host compromise.
• Read, write, or delete application data, causing data loss or corruption.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Budibase instance is running a vulnerable version (prior to 3.33.4) and if it has an automation configured with a webhook trigger and a Bash automation step that executes commands using template variables.

You can detect exploitation attempts by monitoring HTTP POST requests to the public webhook endpoint `/api/webhooks/trigger/:instance/:id` that contain suspicious payloads in the JSON body, especially fields like `cmd` that may carry shell commands.

Suggested commands to detect potential exploitation attempts include network monitoring or logging tools to capture POST requests to the webhook endpoint. For example, using `tcpdump` or `ngrep` to filter HTTP POST requests to port 10000 (default Budibase proxy port):

• tcpdump -A -s 0 'tcp dst port 10000 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
• ngrep -W byline -d any 'POST /api/webhooks/trigger/' tcp and port 10000

Additionally, inspecting Budibase automation configurations for Bash steps that use template variables in the `code` input can help identify vulnerable automations.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade Budibase to version 3.33.4 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, you should disable or remove any automations that use the Bash automation step triggered by public webhooks, especially those that use template variables in the command input.

Restrict network access to the Budibase proxy port (default 10000) to trusted sources only, preventing unauthenticated attackers from reaching the webhook endpoint.

Review and audit existing automations for unsafe Bash steps and remove or modify them to avoid executing untrusted input.

Apply the official patch which replaces unsafe command execution with the safer `execa` library, enforces strict validation of command arguments, and rejects dynamic templating in the command field.

Useful 0 Not Useful 0