Introduction
An unauthenticated remote code execution flaw in Budibase's self hosted deployments allows any external attacker to run arbitrary commands as root inside the application container, with no credentials required. The attack chains a publicly accessible webhook endpoint with the platform's Bash automation step, turning a legitimate low code feature into a direct OS command injection sink.
Budibase is an open source low code platform founded in Belfast in 2019, designed for building internal business applications. The company reports that over 200,000 teams use their toolkit, and their self hosting option is a core selling point for organizations with strict data privacy requirements. As a platform that connects to backend databases like Postgres and MySQL and handles sensitive internal tooling, a root level RCE vulnerability carries significant consequences for its user base.
Technical Information
CVE-2026-35216 is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and carries a CVSS base score of 9.0. The vulnerability chains two distinct components in the Budibase architecture: an unauthenticated public webhook endpoint and the Bash automation step's unsanitized use of Handlebars template substitution before passing input to execSync().
The Unauthenticated Webhook Endpoint
The webhook trigger endpoint, located at packages/server/src/api/routes/webhook.ts, is registered on public routes with no authentication middleware. This is by design; webhooks are intended to receive external events. However, this means any unauthenticated HTTP client can send a POST request to the endpoint and trigger an associated automation workflow.
The Command Injection Sink
The vulnerable code path resides in the Bash automation step at packages/server/src/automations/steps/bash.ts. When an automation is triggered, the application uses Handlebars template processing on the Bash step's code field. Values from the webhook request body are flattened into the automation context and substituted directly into the shell command string. The resulting string is then passed to Node.js's execSync() function for execution.
Because the webhook payload fields flow directly into the Handlebars template without sanitization or escaping, an attacker can embed arbitrary OS commands in the request body. These commands are then evaluated and executed by execSync().
Attack Flow
The exploitation proceeds through the following steps:
- The attacker identifies a self hosted Budibase instance where an administrator has created and published an automation containing a Webhook trigger connected to a Bash step.
- The Bash step's
codefield references a trigger field template, which is a Handlebars expression that pulls a value from the incoming webhook payload. - The attacker sends a crafted POST request to the public webhook endpoint. The request body contains a malicious OS command embedded in the field that the Bash step's template references.
- Budibase processes the webhook, substitutes the attacker controlled value into the Bash step's code via Handlebars, and passes the resulting string to
execSync(). - The injected command executes as root inside the container.
Preconditions
Three conditions must be met for the attack chain to be viable:
- The deployment must be self hosted. The Bash step is only registered when the self hosted environment variable is active.
- An administrator must have created and published an automation containing a Webhook trigger and a Bash step.
- The Bash step's code field must use a trigger field template that references data from the webhook payload.
Impact
Successful exploitation grants the attacker root level command execution inside the container. This enables arbitrary OS command execution, exfiltration of sensitive secrets (database credentials, JWT secrets, API keys, storage keys), lateral movement to internal services accessible from the container, and potential container escape if privileged mounts or flags are configured.
Affected Systems and Versions
| Affected Versions | Patched Version | Action Required |
|---|---|---|
| 3.30.6 and prior | 3.33.4 | Upgrade immediately to version 3.33.4 |
Only self hosted Budibase deployments are affected. The Bash automation step is only registered when the self hosted environment variable is active. Budibase Cloud instances are not vulnerable to this specific attack vector.
The vulnerability requires that an administrator has created and published an automation combining a Webhook trigger with a Bash step that uses trigger field templates.
Vendor Security History
Budibase has disclosed multiple high and critical severity vulnerabilities in early 2026:
| Vulnerability ID | CVSS Score | Description |
|---|---|---|
| CVE-2026-35216 | 9.0 (Critical) | Unauthenticated Remote Code Execution via webhook and Bash step |
| CVE-2026-25040 | 8.8 (High) | Privilege escalation allowing Creator level users to invite new Admin users |
| CVE-2026-33226 | 8.7 (High) | Server Side Request Forgery allowing authenticated admins to reach internal services |
The clustering of these disclosures within a short timeframe underscores the importance of proactive patch management for organizations running self hosted Budibase instances. Administrators should subscribe to Budibase's GitHub security advisories to stay informed of future disclosures.
