CVE-2026-35216

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.33.4

Description Budibase, an open-source low-code platform, has a critical security issue where an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server. This is possible by triggering an automation that contains a Bash step via the public webhook endpoint. The process executes as root inside the container. The vulnerability is due to a misconfigured webhook trigger that allows unauthenticated access and the use of Handlebars template processing on webhook input, which is then executed as a shell command. An attacker can exploit this by sending a crafted HTTP POST request to the /api/webhooks/trigger/{appId}/{webhookId} endpoint with a malicious payload in the cmd field. This allows them to execute arbitrary commands on the server with root privileges. The vulnerability requires an admin to have previously created an automation with a webhook trigger and a Bash step that uses a trigger field template. The affected endpoint is /api/webhooks/trigger/:instance/:id. The vulnerable sink is the Bash automation step, specifically the processStringSync function and execSync function. The attack chain involves sending an HTTP POST request to the webhook trigger endpoint, which then triggers the automation and executes the Bash step with the attacker-controlled payload. The number of potentially affected devices is not specified.

Recommendations Update to version 3.33.4 or later.