Cyber Posture

CVE-2026-35216

CriticalPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0060 69.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is…

more

required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Limits permitted actions without identification or authentication, preventing unauthenticated attackers from triggering dangerous Bash automations via the public webhook endpoint.

SI-10 Information Input Validation good match
prevent

Validates inputs to the public webhook endpoint to block OS command injection payloads that enable RCE in Bash steps.

SC-14 Public Access Protections good match
prevent

Provides specific protections for publicly accessible interfaces like the webhook endpoint to mitigate unauthorized RCE exploitation.

Security SummaryAI

CVE-2026-35216 is a remote code execution (RCE) vulnerability affecting Budibase, an open-source low-code platform, in versions prior to 3.33.4. The flaw stems from CWE-78 (OS Command Injection) and allows an unauthenticated attacker to execute arbitrary code on the Budibase server by triggering an automation workflow containing a Bash step through the public webhook endpoint. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), reflecting its critical impact despite requiring high attack complexity.

Any unauthenticated remote attacker can exploit this vulnerability without privileges or user interaction by sending a crafted request to the public webhook endpoint, which triggers the malicious automation. Successful exploitation results in RCE on the server, with the Bash process executing as root within the container, potentially granting full control over the host environment, including data exfiltration, persistence, or further lateral movement.

Budibase has addressed the issue in version 3.33.4, as detailed in the official security advisory (GHSA-fcm4-4pj2-m5hf), release notes, associated pull request (#18238), and patching commit (f0c731b409a96e401445a6a6030d2994ff4ac256). Security practitioners should immediately upgrade to 3.33.4 or later and review webhook configurations to disable or restrict unauthenticated automations with Bash steps.

Details

CWE(s)
CWE-78

Affected Products

budibase
budibase
≤ 3.33.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Unauthenticated RCE via OS command injection (CWE-78) in public webhook endpoint of web-facing low-code platform (Budibase), enabling exploitation of public-facing application (T1190) and arbitrary Unix Shell (Bash) command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References