CVE-2026-30240
Received Received - Intake
Path Traversal in Budibase PWA Allows Full Secret Disclosure

Publication date: 2026-03-09

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables β€” JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30240
EUVD
EUVD-2026-10357
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.31.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30240 is a critical path traversal vulnerability in Budibase, a low code platform, affecting the Progressive Web App (PWA) ZIP processing endpoint (POST /api/pwa/process-zip). An authenticated user with builder privileges can exploit this flaw by uploading a specially crafted ZIP file containing an icons.json file with paths that traverse outside the intended directory.

The server uses an unsafe path joining method (path.join) without validating that the resolved file paths remain within the temporary extraction directory. This allows the attacker to read arbitrary files on the server filesystem, including sensitive environment files like /proc/1/environ, which contain environment variables such as JWT secrets, database credentials, encryption keys, and API tokens.

The server then uploads the contents of these files to an object store (MinIO or S3), where the attacker can retrieve them via signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.

Impact Analysis

This vulnerability can lead to complete platform compromise. An attacker with builder privileges can exfiltrate all environment secrets, including JWT signing keys, database passwords, encryption keys, API tokens, Redis passwords, MinIO keys, and internal URLs.

With leaked JWT secrets, attackers can forge admin authentication tokens, gaining unauthorized administrative access. Leaked database credentials provide full read/write access to all tenant databases, potentially exposing sensitive data.

On Budibase Cloud, this vulnerability allows cross-tenant data access, affecting thousands of tenants. Confirmed live exploitation exposed critical secrets such as AWS IAM keys, CouchDB admin credentials, CloudFront RSA private keys, and OpenAI API keys.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /api/pwa/process-zip from authenticated users with builder privileges. Specifically, look for uploads of ZIP files containing an icons.json file with path traversal sequences such as "../" in the icon.src entries.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting server logs for such POST requests and analyzing the contents of uploaded ZIP files for malicious path traversal attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using grep to find suspicious POST requests in web server logs: grep -i "/api/pwa/process-zip" /var/log/nginx/access.log | grep POST'}, {'type': 'list_item', 'content': 'Extracting and inspecting icons.json from uploaded ZIP files to check for "../" sequences: unzip suspicious.zip icons.json && grep "\\.\\./" icons.json'}, {'type': 'list_item', 'content': 'Monitoring object store (MinIO/S3) uploads for unexpected keys or files that could indicate exfiltration of sensitive files.'}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting builder privileges to trusted users only, as the vulnerability requires authenticated builder access.

Avoid uploading untrusted ZIP files to the /api/pwa/process-zip endpoint until a patch is available.

Implement network-level controls to monitor and block suspicious POST requests to the vulnerable endpoint.

Apply any available patches or updates from Budibase as soon as they are released to fix the path traversal vulnerability.

Review and rotate all potentially compromised secrets such as JWT signing keys, database credentials, encryption keys, API tokens, and cloud keys if exploitation is suspected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30240. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart