CVE-2026-35216 — AI Deep Analysis Summary

🚨 **Essence**: Budibase < 3.33.4 has a critical flaw. Unauthenticated attackers can trigger automations via public webhooks. 💥 **Consequences**: Potential **Remote Code Execution (RCE)**.…

🛡️ **Root Cause**: **CWE-78** (OS Command Injection). The core flaw is **unvalidated input** at the public webhook endpoint. Attackers inject malicious commands into the automation trigger.

📦 **Affected**: **Budibase** (Low-code platform). Specifically versions **prior to 3.33.4**. If you are running an older build, you are at risk.

👑 **Attacker Capabilities**: With **No Privileges (PR:N)** required, hackers can execute arbitrary OS commands. Impact is **High** on Confidentiality, Integrity, and Availability. They own your server.

⚡ **Exploitation Threshold**: **High Complexity (AC:H)** but **No Auth (PR:N)** and **No UI (UI:N)** needed.…

🔍 **Public Exploit**: **No PoC available** in the data. However, the CVSS score (9.8) and RCE nature suggest wild exploitation is likely imminent once details are reverse-engineered by the community.

🔎 **Self-Check**: Scan for **Budibase instances** exposed to the internet. Check for **public webhook endpoints**. Verify your version number immediately. Look for unauthorized automation triggers.

✅ **Official Fix**: **Yes**. Patched in **Budibase 3.33.4**. See GitHub PR #18238 and Advisory GHSA-fcm4-4pj2-m5hf. Upgrade is the primary mitigation.

🚧 **No Patch Workaround**: Isolate the Budibase instance from the public internet. Restrict access to webhook endpoints via **WAF** or **Firewall rules**. Disable unnecessary automations if possible.

🔥 **Urgency**: **CRITICAL**. CVSS 9.8 is near-maximum. RCE via unauthenticated access is a top-tier threat. **Patch immediately** upon upgrading to 3.33.4+.