CVE-2026-30240
Path Traversal in Budibase PWA Allows Full Secret Disclosure
Publication date: 2026-03-09
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.31.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30240 is a critical path traversal vulnerability in Budibase, a low code platform, affecting the Progressive Web App (PWA) ZIP processing endpoint (POST /api/pwa/process-zip). An authenticated user with builder privileges can exploit this flaw by uploading a specially crafted ZIP file containing an icons.json file with paths that traverse outside the intended directory.
The server uses an unsafe path joining method (path.join) without validating that the resolved file paths remain within the temporary extraction directory. This allows the attacker to read arbitrary files on the server filesystem, including sensitive environment files like /proc/1/environ, which contain environment variables such as JWT secrets, database credentials, encryption keys, and API tokens.
The server then uploads the contents of these files to an object store (MinIO or S3), where the attacker can retrieve them via signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.
How can this vulnerability impact me? :
This vulnerability can lead to complete platform compromise. An attacker with builder privileges can exfiltrate all environment secrets, including JWT signing keys, database passwords, encryption keys, API tokens, Redis passwords, MinIO keys, and internal URLs.
With leaked JWT secrets, attackers can forge admin authentication tokens, gaining unauthorized administrative access. Leaked database credentials provide full read/write access to all tenant databases, potentially exposing sensitive data.
On Budibase Cloud, this vulnerability allows cross-tenant data access, affecting thousands of tenants. Confirmed live exploitation exposed critical secrets such as AWS IAM keys, CouchDB admin credentials, CloudFront RSA private keys, and OpenAI API keys.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /api/pwa/process-zip from authenticated users with builder privileges. Specifically, look for uploads of ZIP files containing an icons.json file with path traversal sequences such as "../" in the icon.src entries.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting server logs for such POST requests and analyzing the contents of uploaded ZIP files for malicious path traversal attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using grep to find suspicious POST requests in web server logs: grep -i "/api/pwa/process-zip" /var/log/nginx/access.log | grep POST'}, {'type': 'list_item', 'content': 'Extracting and inspecting icons.json from uploaded ZIP files to check for "../" sequences: unzip suspicious.zip icons.json && grep "\\.\\./" icons.json'}, {'type': 'list_item', 'content': 'Monitoring object store (MinIO/S3) uploads for unexpected keys or files that could indicate exfiltration of sensitive files.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting builder privileges to trusted users only, as the vulnerability requires authenticated builder access.
Avoid uploading untrusted ZIP files to the /api/pwa/process-zip endpoint until a patch is available.
Implement network-level controls to monitor and block suspicious POST requests to the vulnerable endpoint.
Apply any available patches or updates from Budibase as soon as they are released to fix the path traversal vulnerability.
Review and rotate all potentially compromised secrets such as JWT signing keys, database credentials, encryption keys, API tokens, and cloud keys if exploitation is suspected.