CVE-2026-35216

CriticalPublic PoCRCE

Published: 03 April 2026

Published

03 April 2026

Modified

08 April 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0081 74.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35216 is a critical-severity OS Command Injection (CWE-78) vulnerability in Budibase Budibase. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits permitted actions without identification or authentication, preventing unauthenticated attackers from triggering dangerous Bash automations via the public webhook endpoint.

SI-10 Information Input Validation good match

prevent

Validates inputs to the public webhook endpoint to block OS command injection payloads that enable RCE in Bash steps.

SC-14 Public Access Protections good match

prevent

Provides specific protections for publicly accessible interfaces like the webhook endpoint to mitigate unauthorized RCE exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated RCE via OS command injection (CWE-78) in public webhook endpoint of web-facing low-code platform (Budibase), enabling exploitation of public-facing application (T1190) and arbitrary Unix Shell (Bash) command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is…

required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.

Deeper analysisAI

CVE-2026-35216 is a remote code execution (RCE) vulnerability affecting Budibase, an open-source low-code platform, in versions prior to 3.33.4. The flaw stems from CWE-78 (OS Command Injection) and allows an unauthenticated attacker to execute arbitrary code on the Budibase server by triggering an automation workflow containing a Bash step through the public webhook endpoint. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), reflecting its critical impact despite requiring high attack complexity.

Any unauthenticated remote attacker can exploit this vulnerability without privileges or user interaction by sending a crafted request to the public webhook endpoint, which triggers the malicious automation. Successful exploitation results in RCE on the server, with the Bash process executing as root within the container, potentially granting full control over the host environment, including data exfiltration, persistence, or further lateral movement.

Budibase has addressed the issue in version 3.33.4, as detailed in the official security advisory (GHSA-fcm4-4pj2-m5hf), release notes, associated pull request (#18238), and patching commit (f0c731b409a96e401445a6a6030d2994ff4ac256). Security practitioners should immediately upgrade to 3.33.4 or later and review webhook configurations to disable or restrict unauthenticated automations with Bash steps.

Details

CWE(s): CWE-78

Affected Products

budibase

≤ 3.33.4

CVEs Like This One

CVE-2026-25041Same product: Budibase Budibase

CVE-2026-25044Same product: Budibase Budibase

CVE-2026-41428Same product: Budibase Budibase

CVE-2026-31816Same product: Budibase Budibase

CVE-2026-25737Same product: Budibase Budibase

CVE-2026-35214Same product: Budibase Budibase

CVE-2026-31818Same product: Budibase Budibase

CVE-2026-30240Same product: Budibase Budibase

CVE-2026-27702Same product: Budibase Budibase

CVE-2026-33226Same product: Budibase Budibase

References

https://github.com/Budibase/budibase/commit/f0c731b409a96e401445a6a6030d2994ff4ac256
Patch · security-advisories@github.com
https://github.com/Budibase/budibase/pull/18238
Issue Tracking, Patch · security-advisories@github.com
https://github.com/Budibase/budibase/releases/tag/3.33.4
Product, Release Notes · security-advisories@github.com
https://github.com/Budibase/budibase/security/advisories/GHSA-fcm4-4pj2-m5hf
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/Budibase/budibase/security/advisories/GHSA-fcm4-4pj2-m5hf
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0