Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.
Published: 2026-04-03
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can exploit a flaw in the Budibase platform by triggering a public webhook that initiates an automation with a Bash step. The resulting shell command is executed with root privileges inside the container, allowing the attacker to run arbitrary code on the host. This gives full control over the server, compromising confidentiality, integrity, and availability of all data and services managed by Budibase.

Affected Systems

Budibase low‑code platform, all installations running a version prior to 3.33.4. No specific sub‑components are listed, but the vulnerability affects the core automation engine that processes webhook requests.

Risk and Exploitability

The vulnerability scores a CVSS of 9.1, indicating critical severity. The EPSS shows an exploitation probability of less than 1%, and the issue is not listed in the CISA KEV catalog. Attackers do not need authentication and can trigger the exploit through any exposed webhook endpoint, making the attack vector straightforward and likely to succeed if the endpoint is publicly reachable.

Generated by OpenCVE AI on April 8, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.33.4 or later without delay.
  • If an immediate upgrade is not possible, restrict access to public webhook endpoints or disable the webhook feature until a patch is applied.
  • Enforce container best practices by running Budibase processes under a non‑root user and restricting shell access.
  • Continuously monitor logs for unexpected webhook activity and run vulnerability scans to confirm that the fix has been implemented.

Generated by OpenCVE AI on April 8, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fcm4-4pj2-m5hf Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
History

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.
Title Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:46:23.789Z

Reserved: 2026-04-01T18:48:58.938Z

Link: CVE-2026-35216

cve-icon Vulnrichment

Updated: 2026-04-03T16:46:14.173Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:41.800

Modified: 2026-04-08T21:19:00.380

Link: CVE-2026-35216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:11Z

Weaknesses