Intelligence
criticalVulnerabilityActive

Budibase Unauthenticated RCE via Public Webhook + Bash Automation Template Injection

An unauthenticated attacker can execute arbitrary code as root by POSTing to a public webhook endpoint that triggers automation workflows containing Bash steps with unsanitized template processing. This requires zero authentication and demonstrates complete server compromise.

S
Sebastion

CVE References

CVE-2026-35216

Affected

Budibase/budibase

Vulnerability Description

This is a critical unauthenticated Remote Code Execution vulnerability involving a chain of two design flaws. The root cause stems from: (1) placement of webhook trigger endpoints on publicRoutes without authentication middleware, and (2) unsafe Handlebars template processing in Bash automation steps that directly interpolates user-controlled webhook payload data into shell commands passed to execSync(). The vulnerability class combines authentication bypass (missing access control) with template injection leading to command injection. Since Budibase containers typically run as root, code execution grants complete system compromise.

PoC Significance

This PoC is significant because it demonstrates that the vulnerability is trivially exploitable—an attacker requires only: (a) knowledge of a target's Budibase instance URL, (b) a valid webhook ID (often discoverable via reconnaissance or error messages), and (c) ability to craft an HTTP POST request. No credentials, social engineering, or multi-step exploitation chains are needed. The preconditions are minimal: the instance must have at least one automation with a Bash step configured. The reliability is exceptionally high since the attack path is deterministic and doesn't depend on user interaction or race conditions.

Detection Guidance

Log indicators:

  • HTTP POST requests to /api/webhooks/trigger/*/ from unauthenticated sessions
  • Successful 200/202 responses to webhook trigger endpoints without prior authentication events
  • Bash automation execution logs followed immediately by POST events (temporal correlation)
  • Unusual or suspicious command execution in automation logs (e.g., commands containing pipe operators |, command substitution $(...), or shell metacharacters)
  • Process execution as root spawning bash, sh, or child processes from nodejs runtime

YARA/signature patterns:

  • Monitor for HTTP POST bodies containing Handlebars syntax like {{trigger.*}} aimed at webhook endpoints
  • Alert on execSync() calls with dynamically constructed command strings from external input
  • Flag webhook controller methods lacking authentication decorators or middleware validation

Mitigation Steps

Immediate actions:

  • Patch: Upgrade Budibase to a version that adds authentication middleware to the webhook trigger endpoint
  • Workaround: Disable or restrict Bash automation steps at the application level if not required
  • Access control: Place webhook triggers behind authentication OR firewall-restrict access to trusted IP ranges
  • Input sanitization: Implement strict whitelisting for template variables in Bash steps; never allow direct user input interpolation into shell commands
  • Redesign: Migrate Bash automation to use parameterized command execution (argument arrays) instead of string concatenation
  • Runtime hardening: Run Budibase containers as non-root user with minimal capabilities

Risk Assessment

Likelihood of wild exploitation: VERY HIGH. This vulnerability is trivial to exploit and requires no authentication. Threat actors will prioritize scanning for exposed Budibase instances. Threat actor interest: CRITICAL. Low effort + high impact (RCE as root) makes this a prime target for opportunistic attackers, ransomware operators, and APT groups seeking quick footholds. The 0-day window before widespread patching creates acute risk. Enterprises running Budibase in production should treat this as an emergency patch scenario.

Sources

pocrcetemplate-injectioncommand-injectionauthentication-bypasswebhookhandlebarsbash-execution
Back to intelligence