Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.
Published: 2026-03-09
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Secret disclosure and complete platform compromise via arbitrary file read
Action: Immediate patch
AI Analysis

Impact

In Budibase versions 3.31.5 and earlier, an authenticated user with builder privileges can upload a specially crafted ZIP file to the PWA processing endpoint. The server unsafely evaluates file paths extracted from the ZIP, allowing the attacker to read any file on the filesystem, including sensitive environment variables such as JWT secrets and database credentials. The extracted file contents are then stored in an object store where they can be retrieved through signed URLs, resulting in the exfiltration of cryptographic secrets and service tokens in a single request. The vulnerability constitutes a high‑severity file‑reading flaw that can fully compromise the platform.

Affected Systems

The affected product is Budibase, the low‑code platform for internal tools, workflows, and admin panels. All installations running version 3.31.5 and earlier are vulnerable. No further version details are provided in the advisory.

Risk and Exploitability

The CVSS score of 9.6 indicates a critical impact. The EPSS score is less than 1 %, suggesting a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to have authenticated builder privileges and to upload a ZIP file to the /api/pwa/process-zip endpoint. Once exploited, the attacker can read arbitrary files and exfiltrate secrets, effectively compromising the entire Budibase deployment.

Generated by OpenCVE AI on April 16, 2026 at 10:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Budibase update that patches the PWA ZIP processing endpoint and prevents unsanitized path traversal.
  • Revoke all JWT tokens and regenerate any environment secrets that were exposed through the vulnerability.
  • Delete any files that have been uploaded to the object store via the vulnerable endpoint and perform a security audit of the stored data.
  • If an immediate upgrade is not possible, disable builder privileges for all users and block access to the /api/pwa/process-zip endpoint until the patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 10:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.
Title Budibase PWA ZIP Upload Path Traversal Allows Reading Arbitrary Server Files Including All Environment Secrets
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T15:22:48.070Z

Reserved: 2026-03-04T17:23:59.799Z

Link: CVE-2026-30240

cve-icon Vulnrichment

Updated: 2026-03-10T15:22:28.927Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T21:16:18.843

Modified: 2026-03-13T17:46:41.427

Link: CVE-2026-30240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses