Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.
Published: 2026-04-03
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can trigger an automation that includes a Bash step via a public webhook endpoint in Budibase. The vulnerability allows the attacker to execute arbitrary shell commands with root privileges inside the container, which can compromise the entire server and data. The weakness is a command injection identified as CWE-78.

Affected Systems

Budibase, the open‑source low‑code platform, is affected in all releases prior to version 3.33.4. The issue was fixed in release 3.33.4. No other vendors or products are listed.

Risk and Exploitability

The CVSS base score of 9.1 indicates a very high severity. Because the exposure is via a publicly reachable webhook and requires no authentication, exploitation is straightforward for any attacker who can reach the endpoint. The EPSS score is not available, and the vulnerability is not yet present in the CISA KEV catalog. The impact scope is the entire Budibase instance, as the compromised process runs with root privileges.

Generated by OpenCVE AI on April 3, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Budibase version 3.33.4 or later

Generated by OpenCVE AI on April 3, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.
Title Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:46:23.789Z

Reserved: 2026-04-01T18:48:58.938Z

Link: CVE-2026-35216

cve-icon Vulnrichment

Updated: 2026-04-03T16:46:14.173Z

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:41.800

Modified: 2026-04-03T17:16:53.273

Link: CVE-2026-35216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:11Z

Weaknesses