Remote Code Execution in Budibase Low-Code Platform
CVE-2026-35216

9.1CRITICAL

Key Information:

Vendor

Budibase

Status
Budibase
Vendor
CVE Published:
3 April 2026

What is CVE-2026-35216?

Budibase, an open-source low-code platform, is affected by a vulnerability that allows an unauthenticated attacker to execute arbitrary code on the Budibase server. This is possible through a triggered automation that includes a Bash step, which can be activated via the public webhook endpoint without any authentication. The exploit executes with root privileges inside the container, potentially leading to severe impacts on the system. This issue has been addressed in Budibase version 3.33.4.

Affected Version(s)

budibase < 3.33.4

References

https://github.com/Budibase/budibase/security/advisories/...
x_refsource_CONFIRM
https://github.com/Budibase/budibase/pull/18238
x_refsource_MISC
https://github.com/Budibase/budibase/commit/f0c731b409a96...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.