Budibase is vulnerable to a critical unauthenticated remote code execution flaw that allows attackers to execute arbitrary commands as the root user via public webhooks.

This vulnerability allows an unauthenticated attacker to achieve Remote Code Execution (RCE) by triggering a specific automation containing a Bash step through the public webhook endpoint. The exploit requires no authentication and executes with root privileges within the server container.

A successful exploit results in the total compromise of the Budibase server, allowing attackers to steal sensitive data, modify applications, or move laterally within the network. The CVSS score of 9.0 reflects the critical nature of unauthenticated root-level access. Organizations may face significant data breaches and operational downtime if this vulnerability is exploited.

Immediate Action: Update Budibase to version 3.33.4 or later immediately to patch the vulnerable automation logic.

Proactive Monitoring: Monitor access logs for unusual requests to the public webhook endpoint and review container logs for unexpected Bash execution.

Compensating Controls: Implement a Web Application Firewall (WAF) to restrict access to webhook endpoints to known, trusted IP addresses only.

Public Exploit Available: false

The severity of this RCE vulnerability cannot be overstated, as it grants full system control to unauthenticated remote actors. IT teams must prioritize the update to Budibase version 3.33.4 immediately. Failure to patch leaves the entire low-code environment and its underlying data exposed to complete takeover.