Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.
Published: 2026-04-03
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: File deletion and arbitrary file write via path traversal in plugin upload endpoint
Action: Immediate Patch
AI Analysis

Impact

An attacker who has Global Builder authority can submit a multipart upload to the plugin upload endpoint, including a filename that contains path‑traversal characters. The application forwards this filename directly to the temporary folder creation routine without sanitizing it, allowing the attacker to delete any directory the Node.js process can access and to extract tarball contents to arbitrary filesystem locations, effectively creating, overwriting, or removing files on the server.

Affected Systems

Budibase, the open‑source low‑code platform released before version 3.33.4, contains the vulnerable plugin upload endpoint.

Risk and Exploitability

The vulnerability has a high severity score and, while the likelihood of exploitation is currently low, it is exploitable by authenticated users with Global Builder privileges. An attacker could send a crafted upload request to the vulnerable endpoint, which would then perform privileged filesystem operations such as directory deletion or arbitrary file write on the server.

Generated by OpenCVE AI on April 8, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Budibase version 3.33.4 or later to apply the vendor patch that removes the path‑traversal vulnerability.

Generated by OpenCVE AI on April 8, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2wfh-rcwf-wh23 Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
History

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Budibase
Budibase budibase
Vendors & Products Budibase
Budibase budibase

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.
Title Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Budibase Budibase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:04:36.168Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35214

cve-icon Vulnrichment

Updated: 2026-04-03T16:04:29.253Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:41.607

Modified: 2026-04-08T21:19:13.480

Link: CVE-2026-35214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:13Z

Weaknesses