Remote Code Execution Vulnerability in Salesforce Workbench Tool
CVE-2026-35178

9.3CRITICAL

Key Information:

Vendor: Forceworkbench
Status: Forceworkbench
Vendor: CVE Published:; 6 April 2026

🔔 Create Forceworkbench Vulnerability Alert

What is CVE-2026-35178?

Workbench, a suite of tools for administrators and developers to interact with Salesforce.com via the Force.com APIs, is prone to a remote code execution vulnerability. This flaw arises from the improper handling of attacker-controlled cookie values during the timezone conversion process. The issue affects versions prior to 65.0.0 of Workbench and poses risks to the integrity of the Salesforce environment by potentially allowing unauthorized commands to be executed. Users are urged to upgrade to version 65.0.0 or later to safeguard against this vulnerability.

Affected Version(s)

forceworkbench < 65.0.0

References

https://github.com/forceworkbench/forceworkbench/security...

x_refsource_CONFIRM

https://github.com/forceworkbench/forceworkbench/pull/869

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35178 Data

JSON