Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.
Published: 2026-04-03
Score: 9.1 Critical
EPSS: 12.0% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can exploit a flaw in Budibase by triggering a public webhook that initiates an automation containing a Bash step. The resulting shell command runs with root privileges inside the container, enabling the attacker to execute arbitrary code on the host. This yields full control over the server, compromising confidentiality, integrity, and availability of all data and services managed by Budibase.

Affected Systems

Budibase low‑code platform, all installations running a version prior to 3.33.4. No specific sub‑components are listed, but the vulnerability affects the core automation engine that processes webhook requests.

Risk and Exploitability

The vulnerability scores a CVSS of 9.1, indicating critical severity. The EPSS score of 12% suggests a moderate likelihood of exploitation, and the issue is not listed in the CISA KEV catalog. Attackers do not need authentication and can trigger the exploit through any exposed webhook endpoint, making the attack vector straightforward and likely to succeed if the endpoint is publicly reachable.

Generated by OpenCVE AI on June 18, 2026 at 09:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.33.4 or later without delay.
  • If an immediate upgrade is not possible, restrict access to public webhook endpoints or disable the webhook feature until a patch is applied.
  • Enforce container best practices by running Budibase processes under a non‑root user and restricting shell access.
  • Continuously monitor logs for unexpected webhook activity to detect potential exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 09:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fcm4-4pj2-m5hf Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
History

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.
Title Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:46:23.789Z

Reserved: 2026-04-01T18:48:58.938Z

Link: CVE-2026-35216

cve-icon Vulnrichment

Updated: 2026-04-03T16:46:14.173Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:41.800

Modified: 2026-06-17T10:40:13.487

Link: CVE-2026-35216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:45:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')