Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.
Published: 2026-04-03
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: Arbitrary Directory Deletion and File Creation via Plugin Upload
Action: Patch Immediately
AI Analysis

Impact

A path traversal flaw in Budibase's plugin upload endpoint allows an attacker with Global Builder privileges to supply a filename containing '../', causing the server to create temporary folders outside the intended directory. The flaw enables deletion of arbitrary directories using rmSync and writing of arbitrary files via tarball extraction, which can compromise the integrity and confidentiality of the application and underlying filesystem.

Affected Systems

Budibase low‑code platform versions prior to 3.33.4 are affected. The issue resides in the plugin file upload API (/api/plugin/upload). The vulnerability is present in all distributions that expose this endpoint and rely on Node.js to process uploads.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. Because the vulnerability requires only authenticated Global Builder privileges and no special network exposure, exploitability is practical for users with those rights. EPSS data is unavailable, but the lack of an official KEV listing does not diminish its risk. An attacker can craft a multipart upload with a malicious filename to delete or overwrite files, potentially escalating to full server compromise if additional privileges are present.

Generated by OpenCVE AI on April 3, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Budibase to version 3.33.4 or later, which removes the path traversal handling.
  • If an upgrade cannot be performed immediately, limit Global Builder permissions to trusted administrators and monitor the /api/plugin/upload endpoint for anomalous activity.
  • Apply file system permissions or ACLs to restrict the Node.js process from writing to sensitive directories.
  • Log and alert on any unexpected file deletion or creation events within the application.

Generated by OpenCVE AI on April 3, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.
Title Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:04:36.168Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35214

cve-icon Vulnrichment

Updated: 2026-04-03T16:04:29.253Z

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:41.607

Modified: 2026-04-03T16:16:41.607

Link: CVE-2026-35214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:13Z

Weaknesses