Primary

Context

Budibase PostgreSQL Integration Command Injection Vulnerability

Vulnerability

A command injection vulnerability has been identified in the PostgreSQL integration of Budibase, a low-code platform for internal tools. This issue exists in versions through 3.23.22. The vulnerability arises because the integration constructs shell commands using user-controlled database connection values, such as the database name, host, and password, without proper sanitization. As a result, an attacker could inject malicious commands that are executed on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Budibase is running, potentially leading to a complete system compromise and unauthorized access to sensitive data.

Reproduction

To reproduce this vulnerability, upload a PostgreSQL datasource in Budibase Cloud with a malicious payload in the password or database name fields. Then, export the external schema of the datasource.

Remediation

Users can update to Budibase version 3.23.35, where this vulnerability has been fixed.

Added: Mar 9, 2026, 8:19 PM

Updated: Mar 9, 2026, 8:19 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

7.5

exploitability

5.7

remediation

0.0

relevance

3.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

7.5

exploitability

5.7

remediation

0.0

relevance

3.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Budibase PostgreSQL Integration Command Injection Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Budibase

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating