{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/budibase/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ssrf","budibase","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical Server-Side Request Forgery (SSRF) vulnerability exists in Budibase version 3.30.6, affecting self-hosted instances that do not explicitly configure the \u003ccode\u003eBLACKLIST_IPS\u003c/code\u003e environment variable. The vulnerability resides within the REST datasource connector and the backend-core blacklist module. Due to the absence of a default IP blacklist, the \u003ccode\u003eisBlacklisted()\u003c/code\u003e function in \u003ccode\u003epackages/backend-core/src/blacklist/blacklist.ts\u003c/code\u003e unconditionally returns \u003ccode\u003efalse\u003c/code\u003e, bypassing SSRF protection. This allows users with \u003ccode\u003eBuilder\u003c/code\u003e privileges or \u003ccode\u003eQUERY WRITE\u003c/code\u003e permissions to create malicious REST datasources, query internal services, and exfiltrate sensitive data, including CouchDB credentials, application data, and internal service metadata. This vulnerability impacts confidentiality, integrity, and availability, potentially leading to complete instance takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker with \u003ccode\u003eBuilder\u003c/code\u003e privileges logs into the Budibase application.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new REST datasource via \u003ccode\u003ePOST /api/datasources\u003c/code\u003e, configuring it to target an internal service like \u003ccode\u003ehttp://couchdb-service:5984\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Budibase server, specifically the \u003ccode\u003epackages/server/src/integrations/rest.ts\u003c/code\u003e component, evaluates the URL against the blacklist. Due to the empty \u003ccode\u003eBLACKLIST_IPS\u003c/code\u003e, the \u003ccode\u003eisBlacklisted()\u003c/code\u003e function returns \u003ccode\u003efalse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe REST integration proceeds with the request using the \u003ccode\u003efetch\u003c/code\u003e API, sending the request to the specified internal service.\u003c/li\u003e\n\u003cli\u003eThe internal service (e.g., CouchDB) responds with data.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a query via \u003ccode\u003ePOST /api/queries\u003c/code\u003e that uses the malicious REST datasource.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the query via \u003ccode\u003ePOST /api/v2/queries/:id\u003c/code\u003e, triggering a request to the internal service.\u003c/li\u003e\n\u003cli\u003eThe response from the internal service, containing sensitive data like database credentials or application data, is returned to the attacker, enabling data exfiltration or further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to read CouchDB databases, including user credentials (bcrypt password hashes) and platform configurations. They can also modify user records, create new admin accounts, alter application data, or delete databases. The vulnerability enables resource exhaustion, database destruction, and service disruption. The vulnerability crosses the security boundary between the Budibase application layer and the infrastructure layer, granting access to CouchDB, MinIO, Redis, and other internal services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately set the \u003ccode\u003eBLACKLIST_IPS\u003c/code\u003e environment variable in your Budibase deployment to include at least \u003ccode\u003e127.0.0.1\u003c/code\u003e, private IP ranges (\u003ccode\u003e10.0.0.0/8\u003c/code\u003e, \u003ccode\u003e172.16.0.0/12\u003c/code\u003e, \u003ccode\u003e192.168.0.0/16\u003c/code\u003e), link-local addresses (\u003ccode\u003e169.254.0.0/16\u003c/code\u003e), and cloud metadata endpoints to mitigate the SSRF vulnerability.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003eBUILDER\u003c/code\u003e role access to only trusted users. Consider using the principle of least privilege for application-level permissions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Budibase REST Datasource Creation Targeting Internal IPs\u0026rdquo; to your SIEM and tune for your environment to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eIf you have unpatched instances of Budibase and have granted \u003ccode\u003eQUERY WRITE\u003c/code\u003e permissions widely, immediately audit and revoke those permissions from untrusted users.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for unusual requests originating from the Budibase application server to internal IP addresses or services, particularly those used by CouchDB, Redis, or MinIO, to identify potential SSRF attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-budibase-ssrf/","summary":"A critical Server-Side Request Forgery (SSRF) vulnerability in Budibase's REST datasource connector allows attackers with Builder privileges to exfiltrate sensitive data from internal network services due to a missing default IP blacklist.","title":"Budibase REST Connector SSRF via Empty Blacklist","url":"https://feed.craftedsignal.io/briefs/2026-04-budibase-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-injection","rce","budibase"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA command injection vulnerability has been identified in Budibase versions prior to 3.33.4, specifically within the bash automation step located in \u003ccode\u003epackages/server/src/automations/steps/bash.ts\u003c/code\u003e. This flaw allows an attacker with permissions to create or modify automation workflows to inject arbitrary shell commands. The vulnerability stems from the usage of \u003ccode\u003eexecSync\u003c/code\u003e to execute user-supplied commands without adequate sanitization or validation. Input is processed through \u003ccode\u003eprocessStringSync\u003c/code\u003e, enabling template interpolation that can be exploited for command injection. Successful exploitation could lead to remote code execution, complete system compromise, data exfiltration, and lateral movement within the affected infrastructure. Defenders should prioritize patching or implementing mitigations to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to the Budibase platform with the ability to create or modify automation workflows.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing shell commands embedded within template syntax (e.g., \u003ccode\u003e$(rm -rf /)\u003c/code\u003e, \u003ccode\u003e; malicious-command\u003c/code\u003e, \u003ccode\u003e| malicious-command\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the \u003ccode\u003einputs.code\u003c/code\u003e field of a bash automation step.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eprocessStringSync\u003c/code\u003e function processes the user-supplied input, interpolating the template syntax and generating a command string.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexecSync\u003c/code\u003e function executes the crafted command string without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected shell commands execute on the server with the privileges of the Budibase application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially gaining control of the server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as data exfiltration, lateral movement, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to severe consequences, including remote code execution (RCE) on the Budibase server. This could result in complete system compromise, allowing attackers to steal sensitive data, modify system configurations, or use the compromised system as a pivot point for further attacks within the network. While the exact number of affected organizations is unknown, any Budibase instance running a version prior to 3.33.4 is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately disable the bash automation step in production environments to prevent further exploitation.\u003c/li\u003e\n\u003cli\u003eUpgrade Budibase to version 3.33.4 or later, where this vulnerability is addressed.\u003c/li\u003e\n\u003cli\u003eImplement the command sanitization and validation techniques outlined in the provided example fix.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement a whitelist of allowed commands to restrict the functionality of the bash automation step.\u003c/li\u003e\n\u003cli\u003eEnable and review Budibase application logs for any unusual or suspicious command execution patterns (reference: Overview section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-budibase-cmd-injection/","summary":"A command injection vulnerability exists in Budibase's bash automation step due to insufficient sanitization, allowing attackers with automation modification access to inject arbitrary shell commands, leading to remote code execution.","title":"Budibase Command Injection Vulnerability in Bash Automation Step","url":"https://feed.craftedsignal.io/briefs/2026-04-budibase-cmd-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-35216"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-35216","budibase","rce","webhook"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBudibase, an open-source low-code platform, is vulnerable to remote code execution (RCE) in versions prior to 3.33.4. This vulnerability, identified as CVE-2026-35216, allows an unauthenticated attacker to execute arbitrary commands on the Budibase server. The attack involves leveraging the public webhook endpoint to trigger an automation containing a Bash step. Due to the lack of authentication, malicious actors can directly interact with the webhook to initiate the execution. The process runs as root within the container, increasing the severity of the impact. Budibase patched this vulnerability in version 3.33.4. Defenders must upgrade to the latest version to mitigate this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Budibase instance running a version prior to 3.33.4.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a public webhook endpoint exposed by the Budibase instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the webhook endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request triggers a pre-configured automation within Budibase.\u003c/li\u003e\n\u003cli\u003eThe automation contains a Bash step that executes attacker-controlled commands.\u003c/li\u003e\n\u003cli\u003eThe Bash script executes as root within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Budibase server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35216 allows an unauthenticated attacker to achieve remote code execution (RCE) on the affected Budibase server. Since the process executes as root within the container, the attacker gains complete control over the Budibase instance. This can lead to data breaches, service disruption, or further lateral movement within the network. Organizations using vulnerable Budibase versions are at high risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.33.4 or later to patch CVE-2026-35216.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to webhook endpoints associated with Budibase to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect the execution of bash commands in automations triggered by webhooks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T16:16:41Z","date_published":"2026-04-03T16:16:41Z","id":"/briefs/2026-04-budibase-rce/","summary":"Budibase versions before 3.33.4 are susceptible to unauthenticated remote code execution, where a threat actor can trigger a Bash step within an automation via the public webhook endpoint, leading to code execution as root within the container.","title":"Budibase Unauthenticated Remote Code Execution via Webhook","url":"https://feed.craftedsignal.io/briefs/2026-04-budibase-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-35218"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["budibase","xss","cve-2026-35218","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBudibase, an open-source low-code platform, is vulnerable to a stored cross-site scripting (XSS) attack. Prior to version 3.32.5, the Builder Command Palette renders entity names (tables, views, queries, automations) unsanitized, using Svelte\u0026rsquo;s {@html} directive. This allows an attacker with Builder access to inject arbitrary HTML into the names of database tables, views, queries, or automations. When a Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the injected HTML payload is executed within their browser context. This execution can be leveraged to steal session cookies, leading to full account takeover. The vulnerability, identified as CVE-2026-35218, was patched in Budibase version 3.32.5. Defenders should prioritize upgrading to the patched version.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to a Budibase instance with Builder access.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a database table.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious HTML payload (e.g., \u003ccode\u003e\u0026lt;img src=x onerror=alert(document.domain)\u0026gt;\u003c/code\u003e) into the table name via the Budibase Builder interface.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified table.\u003c/li\u003e\n\u003cli\u003eAnother authenticated user with Builder access in the same workspace opens the Command Palette (Ctrl+K).\u003c/li\u003e\n\u003cli\u003eThe Command Palette renders the table name containing the malicious HTML.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the injected HTML, triggering the onerror event and executing JavaScript.\u003c/li\u003e\n\u003cli\u003eThe JavaScript steals the user\u0026rsquo;s session cookie and sends it to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to impersonate the victim user and gain full account access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the theft of sensitive user session cookies, allowing an attacker to impersonate legitimate users with Builder access. This can result in unauthorized modification of Budibase applications, exfiltration of sensitive data stored within Budibase, and further compromise of systems integrated with Budibase. The severity is high due to the ease of exploitation for authenticated users and the potential for complete account takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.32.5 or later to remediate CVE-2026-35218.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eBudibase_Suspicious_Command_Palette_HTML\u003c/code\u003e to detect potential exploitation attempts by monitoring HTTP activity related to the Command Palette.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to collect the data required by the Sigma rule \u003ccode\u003eBudibase_Suspicious_Command_Palette_HTML\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T16:16:41Z","date_published":"2026-04-03T16:16:41Z","id":"/briefs/2026-04-budibase-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in Budibase versions prior to 3.32.5 allows authenticated users with Builder access to inject malicious HTML payloads into entity names, leading to potential session cookie theft and account takeover when other Builder users open the Command Palette.","title":"Budibase Stored Cross-Site Scripting Vulnerability (CVE-2026-35218)","url":"https://feed.craftedsignal.io/briefs/2026-04-budibase-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-35214"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","vulnerability","budibase"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBudibase, an open-source low-code platform, is vulnerable to a path traversal attack in versions prior to 3.33.4. This flaw resides in the plugin file upload endpoint (POST /api/plugin/upload), where the user-supplied filename is passed unsanitized to createTempFolder(). An attacker with Global Builder privileges can exploit this by crafting a multipart upload containing \u0026ldquo;../\u0026rdquo; sequences in the filename. This allows them to manipulate file paths, leading to arbitrary directory deletion via rmSync and arbitrary file write via tarball extraction. The attacker can write files to any filesystem path accessible by the Node.js process running Budibase. This vulnerability has been patched in version 3.33.4, and organizations using older versions are at risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains Global Builder privileges within a vulnerable Budibase instance (version \u0026lt; 3.33.4).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a multipart upload request targeting the \u003ccode\u003e/api/plugin/upload\u003c/code\u003e endpoint (POST request).\u003c/li\u003e\n\u003cli\u003eWithin the multipart form data, the attacker includes a filename parameter.\u003c/li\u003e\n\u003cli\u003eThe filename parameter contains path traversal sequences such as \u0026ldquo;../\u0026rdquo; to manipulate the file path.\u003c/li\u003e\n\u003cli\u003eThe Budibase application passes the unsanitized filename to the \u003ccode\u003ecreateTempFolder()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe manipulated path is then used in subsequent file system operations, such as \u003ccode\u003ermSync\u003c/code\u003e (for deleting directories) and tarball extraction.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003ermSync\u003c/code\u003e with the manipulated path to delete arbitrary directories on the server.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker leverages tarball extraction to write arbitrary files to arbitrary locations on the server, leading to potential code execution or data compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker with Global Builder privileges to perform arbitrary file system operations on the Budibase server. This includes the ability to delete arbitrary directories, potentially causing denial of service, and write arbitrary files, potentially leading to remote code execution. The impact is significant as it could allow for complete system compromise if the attacker can overwrite critical system files or deploy malicious code. This is especially dangerous for organizations relying on Budibase for critical business applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Budibase to version 3.33.4 or later to patch the CVE-2026-35214 vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/api/plugin/upload\u003c/code\u003e endpoint containing filenames with \u0026ldquo;../\u0026rdquo; sequences using the Sigma rule provided.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit the number of users with Global Builder privileges within Budibase.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T16:16:41Z","date_published":"2026-04-03T16:16:41Z","id":"/briefs/2024-05-budibase-traversal/","summary":"A path traversal vulnerability exists in Budibase versions prior to 3.33.4, allowing attackers with Global Builder privileges to delete arbitrary directories and write arbitrary files via crafted plugin uploads.","title":"Budibase Path Traversal Vulnerability in Plugin Upload","url":"https://feed.craftedsignal.io/briefs/2024-05-budibase-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Budibase","version":"https://jsonfeed.org/version/1.1"}