Platform
nodejs
Component
@budibase/server
Fixed in
3.33.5
3.33.4
CVE-2026-35216 represents a critical Remote Code Execution (RCE) vulnerability affecting the Budibase server. An unauthenticated attacker can exploit this flaw by triggering an automation with a Bash step through the public webhook endpoint, resulting in arbitrary code execution. This vulnerability impacts versions of Budibase prior to 3.33.4, and a patch is available in version 3.33.4.
CVE-2026-35216 in Budibase allows an unauthenticated attacker to achieve Remote Code Execution (RCE) on the Budibase server. This is accomplished by triggering an automation that contains a Bash step via the public webhook endpoint. The severity of this vulnerability is high (CVSS 9.0) due to the ease of exploitation and potential impact. The process executes as root inside the container, meaning a successful attacker could gain complete control of the system. The lack of authentication on the webhook endpoint makes exploitation trivial, as no credentials are required to activate the malicious automation. It is crucial to apply the update to version 3.33.4 or later to mitigate this risk.
An attacker can exploit this vulnerability by sending an HTTP POST request to the public webhook endpoint of Budibase. This request must include data that triggers an automation configured with a Bash step. The Bash step can contain malicious commands that will be executed with root privileges inside the container. Because no authentication is required, anyone with access to the network where Budibase is running can potentially exploit this vulnerability. The simplicity of the exploitation makes it a significant concern, especially for environments with internet exposure.
Exploit Status
EPSS
0.55% (68% percentile)
CISA SSVC
CVSS Vector
The primary solution to mitigate CVE-2026-35216 is to update Budibase to version 3.33.4 or later. This version includes a fix that prevents the execution of arbitrary Bash commands through the public webhook. Additionally, review all existing automations to identify and remove any Bash steps that could be exploited. As a precautionary measure, consider restricting access to the public webhook using a firewall or Access Control List (ACL), although the update is the most effective solution. Monitoring the Budibase server logs for suspicious activity related to the webhook can also help detect and respond to potential exploitation attempts.
Actualice Budibase a la versión 3.33.4 o superior. Esta versión corrige la vulnerabilidad de ejecución remota de código no autenticada a través de webhooks y pasos de automatización Bash. La actualización evitará que atacantes no autenticados ejecuten código arbitrario en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
A webhook is a way for one application to provide real-time information to another application. In this case, the Budibase webhook is used to trigger automations.
Root execution is a default configuration in Budibase for certain automation steps. This allows automations to perform tasks that require elevated privileges, but also increases the risk if the vulnerability is exploited.
If you cannot update immediately, consider restricting access to the public webhook using a firewall or ACL. However, this is only a partial mitigation, and the update is the recommended solution.
Review the configuration of each automation in Budibase. Look for those that have a step configured to execute Bash commands.
Currently, there are no automated tools available to detect this vulnerability. The best way to determine if you are vulnerable is to verify the version of Budibase you are running.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.