CVE-2026-35216: Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
An unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container.
References
- github.com/Budibase/budibase
- github.com/Budibase/budibase/commit/f0c731b409a96e401445a6a6030d2994ff4ac256
- github.com/Budibase/budibase/pull/18238
- github.com/Budibase/budibase/releases/tag/3.33.4
- github.com/Budibase/budibase/security/advisories/GHSA-fcm4-4pj2-m5hf
- github.com/advisories/GHSA-fcm4-4pj2-m5hf
- nvd.nist.gov/vuln/detail/CVE-2026-35216
Code Behaviors & Features
Detect and mitigate CVE-2026-35216 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →