Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Severity:: High

Description

An unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container.

Recommendation

Update the @budibase/server package to the latest compatible version. Followings are version details:

Affected version(s): < 3.33.4
Patched version(s): 3.33.4

References

GHSA-fcm4-4pj2-m5hf
CVE-2026-35216
CWE-78
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

FUXA Unauthenticated Remote Code Execution via Admin JWT Minting - CVE-2026-25893
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - CVE-2026-41679
FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass - CVE-2026-43947

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @budibase/server

Anything's wrong? Let us know Last updated on April 04, 2026