Description
Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0.
Published: 2026-04-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Workbench contains an unsafe timezone conversion routine that processes cookie values. Maliciously crafted cookies can inject and execute arbitrary code on the server, allowing an attacker to gain full control of the application and potentially the underlying system. This results in a severe confidentiality and integrity compromise.

Affected Systems

All installations of the Workbench suite with a version older than 65.0.0 are affected. The flaw exists in the administrative and developer tools that interact with Salesforce.com APIs across the code base prior to the patch. Inventorying Workbench deployments and checking the version number is essential to determine exposure.

Risk and Exploitability

The CVSS score of 9.3 classifies this vulnerability as critical, and while no public exploit has been reported and EPSS data is not available, the remote code execution nature means any attacker able to set a malicious cookie on the Workbench instance can exploit the flaw. The likely attack vector is inferred to be a remote web request containing the harmful cookie. The vulnerability is not listed in CISA’s KEV catalog, but the high severity and easy exploitation path warrant urgent attention.

Generated by OpenCVE AI on April 7, 2026 at 02:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Force Workbench to version 65.0.0 or later
  • Verify the Workbench version after applying the update

Generated by OpenCVE AI on April 7, 2026 at 02:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Forceworkbench
Forceworkbench forceworkbench
Vendors & Products Forceworkbench
Forceworkbench forceworkbench

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0.
Title Workbench Affected by Remote Code Execution (RCE) via Malicious Cookie in Timezone Conversion
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Forceworkbench Forceworkbench
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:04:48.145Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35178

cve-icon Vulnrichment

Updated: 2026-04-07T14:04:44.296Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T20:16:25.927

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35178

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:37Z

Weaknesses