Budibase @budibase/server patches Critical PostgreSQL pg_dump command injection (CVE-2026-25041)
What happened
GitHub published a Critical security advisory for the npm package @budibase/server (Budibase/budibase) describing a command injection issue in the PostgreSQL integration used to run pg_dump for schema-only exports.
The advisory states the integration constructs a shell command using user-controlled configuration values (e.g., database name/host/password) without proper sanitization/escaping, allowing injection of additional shell commands when pg_dump is invoked.
Who is impacted
- Deployments using @budibase/server versions < 3.23.32.
- Environments where an attacker can influence PostgreSQL connection configuration values (for example via configuration injection, compromised admin/config credentials, or other paths that allow modifying DB connection settings used by Budibase).
What to do now
- Upgrade @budibase/server to 3.23.32 (the patched version).
- Restrict and audit who/what can change database configuration values used by Budibase.
- Consider rotating DB credentials and reviewing for suspicious characters in connection values (e.g., quotes/semicolons) if you suspect exposure.
- Prefer non-shell execution patterns (e.g.,
execFilewith argument arrays and environment variables for secrets) when building similar integrations in internal tooling.
Additional Information
- Advisory: GHSA-726g-59wr-cj4c / CVE-2026-25041
- Severity: Critical
- Weakness: CWE-77 (Command Injection)
- Affected versions: < 3.23.32; Patched: 3.23.32
Published 09 Mar 2026
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.