Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts.
Published: 2026-03-09
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection leading to arbitrary shell execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the PostgreSQL integration of Budibase, where user‑controlled configuration values – such as database name, host, and password – are interpolated directly into a shell command without sanitization. This permits an attacker to inject malicious payloads, leading to arbitrary shell command execution on the host running the Budibase server. The potential impact includes full compromise of the affected system, data exfiltration, or disruption of services because the injected commands run with the privileges of the Budibase application process.

Affected Systems

Budibase, the low‑code platform for internal tools and workflows. All releases up to and including 3.23.22 are affected; the flaw is located in packages/server/src/integrations/postgres.ts. Any deployment that uses PostgreSQL integration and accepts configuration values from users could be vulnerable.

Risk and Exploitability

The CVSS score of 8.6 indicates a high‑severity weakness. The EPSS score is below 1 %, suggesting low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is likely remote if an attacker can influence the configuration parameters – for example, through a user‑provided UI, API or environment variables – and can thereby execute arbitrary shell commands on the server. The absence of a public fix at the time of this report highlights the need for immediate remediation to prevent potential compromise.

Generated by OpenCVE AI on April 16, 2026 at 10:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to a version newer than 3.23.22, which contains the corrected PostgreSQL integration logic.
  • If upgrading immediately is not possible, sanitize all configuration values before feeding them into shell commands – replace or escape special characters, or use parameterized database APIs that avoid shell invocation.
  • Disable or remove the PostgreSQL dump feature until a patch is applied, or isolate the Budibase service in a restricted container so that any potential command injection is contained.

Generated by OpenCVE AI on April 16, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-726g-59wr-cj4c @budibase/server: Command Injection in PostgreSQL Dump Command
History

Fri, 13 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts.
Title Budibase has a Command Injection in PostgreSQL Dump Command
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:34:21.741Z

Reserved: 2026-01-28T14:50:47.886Z

Link: CVE-2026-25041

cve-icon Vulnrichment

Updated: 2026-03-09T20:31:37.699Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T20:16:07.147

Modified: 2026-03-13T19:23:55.590

Link: CVE-2026-25041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses