CVE-2026-35178

CriticalRCE

Published: 06 April 2026

Published

06 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0033 56.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35178 is a critical-severity Code Injection (CWE-94) vulnerability in Forceworkbench Forceworkbench. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely identification, reporting, and patching of the RCE flaw in Workbench versions prior to 65.0.0.

SI-10 Information Input Validation good match

prevent

Mandates validation of attacker-controlled cookie values prior to processing in the timezone conversion flow, preventing arbitrary code execution.

SI-16 Memory Protection partial match

prevent

Provides memory protection mechanisms that mitigate exploitation of the RCE vulnerability even if malicious code is injected via unsafe cookie processing.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-35178 enables unauthenticated remote code execution in the public-facing Workbench web application via malicious cookie values in timezone conversion, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an…

unsafe manner. This vulnerability is fixed in 65.0.0.

Deeper analysisAI

CVE-2026-35178 is a remote code execution vulnerability (CWE-94) in Workbench, a suite of tools used by administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. The flaw exists in the timezone conversion flow prior to version 65.0.0, where attacker-controlled cookie values are processed unsafely, enabling arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

The vulnerability can be exploited remotely by unauthenticated attackers with network access and no user interaction required. Exploitation involves crafting malicious cookie values that trigger code execution during timezone conversion processing, potentially allowing full compromise of the affected Workbench instance, including execution of arbitrary commands, data exfiltration, or further lateral movement within the environment.

Mitigation is available through upgrading to Workbench version 65.0.0, which addresses the unsafe cookie processing in the timezone conversion flow. Official advisories, including the GitHub security advisory (GHSA-jw63-m86r-2jxc) and the associated pull request (#869), detail the patch and recommend immediate updates for all prior versions.