CVE-2026-35178

Critical

Published: 06 April 2026

Published

06 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0033 56.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an…

unsafe manner. This vulnerability is fixed in 65.0.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely identification, reporting, and patching of the RCE flaw in Workbench versions prior to 65.0.0.

SI-10 Information Input Validation good match

prevent

Mandates validation of attacker-controlled cookie values prior to processing in the timezone conversion flow, preventing arbitrary code execution.

SI-16 Memory Protection partial match

prevent

Provides memory protection mechanisms that mitigate exploitation of the RCE vulnerability even if malicious code is injected via unsafe cookie processing.

Security SummaryAI

CVE-2026-35178 is a remote code execution vulnerability (CWE-94) in Workbench, a suite of tools used by administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. The flaw exists in the timezone conversion flow prior to version 65.0.0, where attacker-controlled cookie values are processed unsafely, enabling arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

The vulnerability can be exploited remotely by unauthenticated attackers with network access and no user interaction required. Exploitation involves crafting malicious cookie values that trigger code execution during timezone conversion processing, potentially allowing full compromise of the affected Workbench instance, including execution of arbitrary commands, data exfiltration, or further lateral movement within the environment.

Mitigation is available through upgrading to Workbench version 65.0.0, which addresses the unsafe cookie processing in the timezone conversion flow. Official advisories, including the GitHub security advisory (GHSA-jw63-m86r-2jxc) and the associated pull request (#869), detail the patch and recommend immediate updates for all prior versions.

Details

CWE(s): CWE-94

Affected Products

forceworkbench

≤ 65.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-35178 enables unauthenticated remote code execution in the public-facing Workbench web application via malicious cookie values in timezone conversion, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/forceworkbench/forceworkbench/pull/869
Issue Tracking, Vendor Advisory · security-advisories@github.com
https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc
Vendor Advisory · security-advisories@github.com