CVE-2026-25044: Remote Code Execution via OS Command Injection in Budibase Bash Automations
Vulnerability ID: CVE-2026-25044
CVSS Score: 8.7
Published: 2026-04-03
Budibase versions prior to 3.33.4 contain a critical OS command injection vulnerability within the platform's bash automation step. An authenticated attacker with privileges to create or modify automations can inject shell metacharacters, leading to unauthenticated remote code execution on the host system.
TL;DR
Unsanitized input in the Budibase bash automation feature allows low-privileged users to execute arbitrary OS commands via Node.js execSync. Upgrading to version 3.33.4 resolves the issue.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-78
- Attack Vector: Network
- CVSS v4.0: 8.7
- Privileges Required: Low
- Impact: Remote Code Execution
- Exploit Status: PoC Available
Affected Systems
- Budibase Backend Server
- Budibase Automations Module
-
Budibase: < 3.33.4 (Fixed in:
3.33.4)
Mitigation Strategies
- Upgrade Budibase instances to version 3.33.4 or higher.
- Disable the Bash Automation step globally via Budibase environment configuration if immediate patching is not possible.
- Implement endpoint monitoring to alert on unexpected process creation originating from the Budibase backend service.
Remediation Steps:
- Verify the current version of the Budibase deployment.
- Pull the latest container images for Budibase version 3.33.4 from the official repository.
- Deploy the updated containers and restart the application stack.
- Audit existing automations within the Budibase portal to identify any unauthorized or suspicious bash scripts.
References
- GitHub Advisory GHSA-gjw9-34gf-rp6m
- NVD Record for CVE-2026-25044
- Budibase Release 3.33.2
- Budibase Release 3.33.4 (Patched Version)
Read the full report for CVE-2026-25044 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)