Patches unauthenticated RCE via Budibase webhook-triggered Bash step

TL;DR — A public Budibase webhook trigger can be chained with the self-hosted “Bash” automation step to reach unauthenticated command execution (as root in-container) when a vulnerable automation exists.

What happened

Budibase is an open-source low-code platform used to build internal tools and workflows, including server-side automations that can be triggered by webhooks.

CVE-2026-35216 describes a critical unauthenticated remote code execution path where the webhook trigger route is exposed without authentication and can invoke an automation containing the EXECUTE_BASH step. Per the GitHub advisory referenced by the CVE record, the attack chain is:

• POST /api/webhooks/trigger/:instance/:id is registered on publicRoutes (no auth middleware).
• Webhook body fields can be flattened into the automation context.
• A Bash step processes templated input (via Handlebars) and then executes it with execSync(), enabling arbitrary command execution.

The CVE record reports CVSS v3.1 9.1 (Critical) and notes the command executes as root inside the container. This is a high-impact pattern for platform teams because “public webhook” + “shell execution step” is a common automation design, and mistakes in auth boundaries tend to become internet-reachable RCE in self-hosted deployments.

Who is impacted

• Self-hosted Budibase environments where the Bash automation step is available (the advisory notes EXECUTE_BASH is only registered when SELF_HOSTED is enabled).
• Deployments where an admin has created and published an automation with:
  • a Webhook trigger, and
  • a Bash step whose code uses trigger field templates (e.g., {{ trigger.cmd }}), allowing attacker-controlled webhook body fields to flow into the executed command.

Note: the CVE record and GitHub advisory page present different affected-version bounds; treat this as a scoping ambiguity and prioritize vendor guidance plus your own asset inventory.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

  • "This issue has been patched in version 3.33.4."

• Inventory self-hosted Budibase instances and identify published automations that combine Webhook triggers with the Bash step (EXECUTE_BASH), especially those templating webhook fields into inputs.code.
• Treat webhook-triggered automations as internet-facing attack surfaces: review whether /api/webhooks/trigger/... endpoints are exposed externally, and restrict network access where feasible (reverse proxy allowlists, private networking, gateway auth).
• If compromise is suspected, review logs for unexpected POST traffic to /api/webhooks/trigger/... and investigate automation execution history for anomalous Bash-step commands; rotate credentials reachable from the Budibase server context.

Additional Information

• GitHub advisory (technical write-up and PoC): https://github.com/Budibase/budibase/security/advisories/GHSA-fcm4-4pj2-m5hf
• Fix references in the CVE record: PR https://github.com/Budibase/budibase/pull/18238 and release tag https://github.com/Budibase/budibase/releases/tag/3.33.4