Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4.
Published: 2026-04-03
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw lies in the bash automation step where user supplied commands are executed with execSync without sanitization. The interpreter processes template interpolation, allowing execution of arbitrary shell commands. Successful exploitation gives the attacker full control over the host system, leading to potential data theft, system compromise, and service disruption. The weakness is classified as CWE‑78 Command Injection.

Affected Systems

The issue affects Budibase versions prior to 3.33.4. The low‑code platform is distributed as a community edition, and the vulnerability exists in the automation step module. Upgrading to 3.33.4 or later removes the vulnerable code path.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. EPSS data is not available, and the vulnerability is not listed in CISA's KEV catalog. The probable attack vector involves providing malicious input to the bash automation step, which is processed by processStringSync and then passed to execSync, enabling command execution. The vulnerability is likely to be exploitable in environments where the automation step is exposed to untrusted users.

Generated by OpenCVE AI on April 3, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Budibase to version 3.33.4 or later.
  • Verify that the software version has been updated to 3.33.4 or newer.
  • Restrict or disable access to the bash automation step for untrusted users until a patch has been applied.
  • Monitor system logs for any attempts to execute unexpected shell commands.

Generated by OpenCVE AI on April 3, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gjw9-34gf-rp6m Budibase: Command Injection in Bash Automation Step
History

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4.
Title Budibase: Command Injection in Bash Automation Step
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:45:28.857Z

Reserved: 2026-01-28T14:50:47.886Z

Link: CVE-2026-25044

cve-icon Vulnrichment

Updated: 2026-04-03T16:45:24.137Z

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:35.870

Modified: 2026-04-03T16:16:35.870

Link: CVE-2026-25044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:15Z

Weaknesses