CVE-2026-35216
Unauthenticated Remote Code Execution in Budibase Webhook Automation
Publication date: 2026-04-03
Last updated on: 2026-04-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.33.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-35216 allows unauthenticated remote code execution on self-hosted Budibase instances, enabling attackers to execute arbitrary commands as root inside the container.
This can lead to exfiltration of sensitive environment variables and credentials, unauthorized access to application data, and potential privilege escalation or container escape.
Such unauthorized access and data exposure can result in violations of data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches.
Therefore, this vulnerability poses a significant risk to compliance by potentially exposing sensitive data and compromising system integrity and availability.
Can you explain this vulnerability to me?
CVE-2026-35216 is a critical vulnerability in Budibase, an open-source low-code platform, that allows unauthenticated remote code execution (RCE) on the Budibase server. The issue arises from the Bash automation step, which executes shell commands using unsafe methods. Specifically, the vulnerable Bash step accepted user-supplied commands via a public webhook endpoint without authentication, and executed them as root inside the container using Node.js's execSync function. This allowed attackers to inject arbitrary shell commands by exploiting template variables in the Bash command input.
The vulnerability exists because the Bash step processed a command string with Handlebars template variables derived from the webhook request body, enabling attackers to craft malicious payloads that get executed on the server. The public webhook endpoint is exposed without authentication, so any attacker with network access can trigger this exploit.
The issue was fixed by replacing the unsafe execSync call with the safer execa library, which separates the command and its arguments and enforces strict validation and escaping to prevent command injection. The fix also rejects dynamic templating in the command field and requires arguments to be a JSON array of strings.
How can this vulnerability impact me? :
This vulnerability can have severe impacts on affected Budibase deployments, especially self-hosted instances using Bash automation steps triggered by webhooks. Because the exploit requires no authentication, an attacker can remotely execute arbitrary commands as root inside the container.
- Execute arbitrary OS commands with root privileges inside the container.
- Exfiltrate sensitive environment variables such as JWT secrets, API encryption keys, and database credentials.
- Pivot to internal services like CouchDB, Redis, and MinIO to further compromise the environment.
- Forge JWT tokens to impersonate users and escalate privileges.
- Potentially escape the container if it is privileged or has volume mounts, leading to host compromise.
- Read, write, or delete application data, causing data loss or corruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Budibase instance is running a vulnerable version (prior to 3.33.4) and if it has an automation configured with a webhook trigger and a Bash automation step that executes commands using template variables.
You can detect exploitation attempts by monitoring HTTP POST requests to the public webhook endpoint `/api/webhooks/trigger/:instance/:id` that contain suspicious payloads in the JSON body, especially fields like `cmd` that may carry shell commands.
Suggested commands to detect potential exploitation attempts include network monitoring or logging tools to capture POST requests to the webhook endpoint. For example, using `tcpdump` or `ngrep` to filter HTTP POST requests to port 10000 (default Budibase proxy port):
- tcpdump -A -s 0 'tcp dst port 10000 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
- ngrep -W byline -d any 'POST /api/webhooks/trigger/' tcp and port 10000
Additionally, inspecting Budibase automation configurations for Bash steps that use template variables in the `code` input can help identify vulnerable automations.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade Budibase to version 3.33.4 or later, where this vulnerability has been patched.
If upgrading immediately is not possible, you should disable or remove any automations that use the Bash automation step triggered by public webhooks, especially those that use template variables in the command input.
Restrict network access to the Budibase proxy port (default 10000) to trusted sources only, preventing unauthenticated attackers from reaching the webhook endpoint.
Review and audit existing automations for unsafe Bash steps and remove or modify them to avoid executing untrusted input.
Apply the official patch which replaces unsafe command execution with the safer `execa` library, enforces strict validation of command arguments, and rejects dynamic templating in the command field.