Description
Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with extract-zip@2.0.1 into a temp directory, then for each entry listed in icons.json validates the icon path, opens it, and streams the bytes into MinIO. The resulting object is served back via GET /api/assets/{appId}/pwa/{uuid}.png. extract-zip@2.0.1 preserves absolute symlink targets when restoring symlink entries. The icon-source validator at packages/server/src/api/controllers/static/index.ts:259-268 resolves the icon source string against baseDir (path.resolve), checks resolvedSrc.startsWith(baseDir + path.sep) against that string, and calls fs.existsSync(resolvedSrc) which follows symbolic links to confirm the target exists. None of the three calls reject symbolic-link entries. packages/backend-core/src/objectStore/objectStore.ts:302 then calls (await fsp.open(path)).createReadStream() on the resolved path. fsp.open follows the symlink, the target file's bytes stream into MinIO, and the response of the asset-fetch endpoint returns those bytes verbatim. Result: a workspace-level builder reads any file the server process can open. This vulnerability is fixed in 3.39.9.
Published: 2026-06-26
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Budibase, an open‑source low‑code platform, allows a builder to upload a .zip file via POST /api/pwa/process‑zip. The server extracts the archive with extract‑zip and then, for each icon specified, resolves the icon’s path relative to a temporary directory and streams the file’s bytes to a MinIO bucket. Because extract‑zip preserves absolute symlink targets and the icon source validator does not reject symlink entries, an attacker who can upload a crafted zip containing a symlink to any server‑accessible file can read that file’s contents and retrieve it through a subsequent GET request. This vulnerability injects arbitrary server files into the asset pipeline, exposing sensitive data. The weakness is a classic path traversal and symbolic‑link exploitation, mapped to CWE‑22 and CWE‑59.

Affected Systems

Budibase instances running version 3.39.8 or earlier are susceptible. The issue is resolved in Budibase 3.39.9; any version prior to that release must be considered vulnerable.

Risk and Exploitability

The CVSS score of 9.6 indicates high severity; there is no EPSS data available, and the vulnerability is not listed in CISA KEV. Attackers can trigger the flaw by sending a specially crafted zip file to the exposed endpoint, which is reachable over the network. Successful exploitation requires the attacker to have the ability to upload zip files, typically through a workspace builder role. Once the zip is processed the attacker can read any file the Budibase process can access, resulting in full information disclosure of server files.

Generated by OpenCVE AI on June 26, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Budibase version 3.39.9 or later, which removes the symlink handling vulnerability.
  • If an immediate upgrade is not feasible, block or restrict access to the /api/pwa/process-zip endpoint so that only trusted administrators can upload archives.
  • Configure the server or the asset handling component to reject symlink entries during extraction or validate target paths strictly, mitigating the underlying path traversal flaw.

Generated by OpenCVE AI on June 26, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w7mq-r738-x278 Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
History

Fri, 26 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with extract-zip@2.0.1 into a temp directory, then for each entry listed in icons.json validates the icon path, opens it, and streams the bytes into MinIO. The resulting object is served back via GET /api/assets/{appId}/pwa/{uuid}.png. extract-zip@2.0.1 preserves absolute symlink targets when restoring symlink entries. The icon-source validator at packages/server/src/api/controllers/static/index.ts:259-268 resolves the icon source string against baseDir (path.resolve), checks resolvedSrc.startsWith(baseDir + path.sep) against that string, and calls fs.existsSync(resolvedSrc) which follows symbolic links to confirm the target exists. None of the three calls reject symbolic-link entries. packages/backend-core/src/objectStore/objectStore.ts:302 then calls (await fsp.open(path)).createReadStream() on the resolved path. fsp.open follows the symlink, the target file's bytes stream into MinIO, and the response of the asset-fetch endpoint returns those bytes verbatim. Result: a workspace-level builder reads any file the server process can open. This vulnerability is fixed in 3.39.9.
Title Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload
Weaknesses CWE-22
CWE-59
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T20:32:51.458Z

Reserved: 2026-06-12T19:23:22.317Z

Link: CVE-2026-54352

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')