Budibase Low-Code Platform Patches Critical Command Execution Flaw
CVE Notify is flagging a serious vulnerability, CVE-2026-25044, affecting the popular open-source low-code platform, Budibase. According to their report, versions prior to 3.33.4 contained a flaw in the bash automation step. This step improperly executed user-provided commands via execSync without adequate sanitization or validation.
The core issue stemmed from how user input was handled by processStringSync, which allowed for template interpolation. This mechanism could have been abused to achieve arbitrary command execution on affected systems. The vulnerability has since been addressed by the Budibase team and patched in version 3.33.4.
What This Means For You
- Organizations using Budibase should immediately verify their deployment version and upgrade to 3.33.4 or later to mitigate the risk of arbitrary command execution through the bash automation feature.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-25044 | Command Injection | Budibase, versions prior to 3.33.4, bash automation step, execSync, processStringSync, template interpolation, arbitrary command execution |
| CVE-2026-25044 | Code Injection | Budibase, versions prior to 3.33.4, bash automation step, execSync, processStringSync, template interpolation, arbitrary command execution |
๐ Recommended Tools
๐ก๏ธ
Want the IOCs from this threat?
Get structured IOC exports and weekly threat briefs โ delivered instantly to your Telegram.
Get My Intel โ
Found this interesting? Follow us to stay ahead.
Share