CVE-2026-25044
Published: 03 April 2026
Summary
CVE-2026-25044 is a high-severity OS Command Injection (CWE-78) vulnerability in Budibase Budibase. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-provided commands before execution via execSync in the bash automation step, preventing OS command injection.
Mandates timely identification, reporting, and correction of the specific flaw enabling unsanitized command execution, as patched in version 3.33.4.
Enforces least privilege on the Budibase server process handling automation steps, limiting the scope and impact of arbitrary commands executed via injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in Budibase web app enables remote authenticated RCE via unsanitized bash execSync, mapping directly to public-facing app exploitation (T1190) and Unix shell interpreter abuse (T1059.004).
NVD Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This…
more
issue has been patched in version 3.33.4.
Deeper analysisAI
CVE-2026-25044 is an OS command injection vulnerability (CWE-78) in Budibase, an open-source low-code platform. In versions prior to 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync, which enables template interpolation and can lead to arbitrary command execution on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An attacker with low-privilege access, such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious input for the bash automation step, the attacker achieves arbitrary command execution on the Budibase server, potentially compromising confidentiality, integrity, and availability through actions like data exfiltration, modification of platform data, or system disruption.
The vulnerability has been patched in Budibase version 3.33.4. Security practitioners should upgrade to this version or later. Additional details are available in the Budibase security advisory at https://github.com/Budibase/budibase/security/advisories/GHSA-gjw9-34gf-rp6m and the release notes at https://github.com/Budibase/budibase/releases/tag/3.33.2.
Details
- CWE(s)