{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35216/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-35216"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-35216","budibase","rce","webhook"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBudibase, an open-source low-code platform, is vulnerable to remote code execution (RCE) in versions prior to 3.33.4. This vulnerability, identified as CVE-2026-35216, allows an unauthenticated attacker to execute arbitrary commands on the Budibase server. The attack involves leveraging the public webhook endpoint to trigger an automation containing a Bash step. Due to the lack of authentication, malicious actors can directly interact with the webhook to initiate the execution. The process runs as root within the container, increasing the severity of the impact. Budibase patched this vulnerability in version 3.33.4. Defenders must upgrade to the latest version to mitigate this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Budibase instance running a version prior to 3.33.4.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a public webhook endpoint exposed by the Budibase instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the webhook endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request triggers a pre-configured automation within Budibase.\u003c/li\u003e\n\u003cli\u003eThe automation contains a Bash step that executes attacker-controlled commands.\u003c/li\u003e\n\u003cli\u003eThe Bash script executes as root within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Budibase server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35216 allows an unauthenticated attacker to achieve remote code execution (RCE) on the affected Budibase server. Since the process executes as root within the container, the attacker gains complete control over the Budibase instance. This can lead to data breaches, service disruption, or further lateral movement within the network. Organizations using vulnerable Budibase versions are at high risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.33.4 or later to patch CVE-2026-35216.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to webhook endpoints associated with Budibase to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect the execution of bash commands in automations triggered by webhooks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T16:16:41Z","date_published":"2026-04-03T16:16:41Z","id":"/briefs/2026-04-budibase-rce/","summary":"Budibase versions before 3.33.4 are susceptible to unauthenticated remote code execution, where a threat actor can trigger a Bash step within an automation via the public webhook endpoint, leading to code execution as root within the container.","title":"Budibase Unauthenticated Remote Code Execution via Webhook","url":"https://feed.craftedsignal.io/briefs/2026-04-budibase-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-35216","version":"https://jsonfeed.org/version/1.1"}