CVE-2026-35216NVD

Vulnerability Summary

Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.

Severity Level

CRITICAL(9.0)

Published Date

Apr 3, 2026

Last Modified

Apr 8, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.60%Probability

Root Weakness (CWE)

CWE-78: OS Command Injection ↗

The software constructs all or part of an OS command using externally-influenced input, but does not properly neutralize special elements.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityHigh

Privileges RequiredNone

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://github.com/Budibase/budibase/commit/f0c731b409a96e401445a6a6030d2994ff4ac256
https://github.com/Budibase/budibase/pull/18238
https://github.com/Budibase/budibase/releases/tag/3.33.4
https://github.com/Budibase/budibase/security/advisories/GHSA-fcm4-4pj2-m5hf
https://github.com/Budibase/budibase/security/advisories/GHSA-fcm4-4pj2-m5hf

Critical Alert

CVE Watchtower

CVE-2026-35216NVD

Vulnerability Summary

External References