CVE-2026-35214
Path Traversal in Budibase Plugin Upload Enables Arbitrary File Write
Publication date: 2026-04-03
Last updated on: 2026-04-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| budibase | budibase | to 3.33.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.33.4. The issue is in the plugin file upload endpoint (POST /api/plugin/upload), which takes a user-supplied filename and passes it directly to a function called createTempFolder() without sanitizing path traversal sequences like "../".
An attacker who has Global Builder privileges can exploit this by crafting a multipart upload with a filename containing "../" sequences. This allows the attacker to delete arbitrary directories using rmSync and write arbitrary files via tarball extraction to any filesystem path accessible by the Node.js process running Budibase.
This vulnerability has been fixed in Budibase version 3.33.4.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker with Global Builder privileges to delete arbitrary directories and write arbitrary files anywhere on the filesystem accessible to the Node.js process.
Such actions can lead to loss of data, corruption of application files, unauthorized modification of system files, and potentially full compromise of the affected system.
The CVSS score of 8.7 (High) reflects the significant integrity and availability impact of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Budibase to version 3.33.4 or later, where the issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-35214 is a high-severity path traversal vulnerability that allows an attacker with Global Builder privileges to delete arbitrary directories and write arbitrary files anywhere the Node.js process can access. This can lead to integrity and availability impacts, such as deletion of critical directories and potential denial of service.
While the vulnerability does not directly impact confidentiality (no unauthorized reading of data), the ability to modify or delete files arbitrarily can undermine system integrity and availability, which are critical components of compliance frameworks like GDPR and HIPAA.
Specifically, the vulnerability could lead to disruption of services or tampering with system files, which may violate requirements for data integrity, system availability, and secure processing under these regulations.
Therefore, organizations using affected versions of Budibase prior to 3.33.4 may face compliance risks if this vulnerability is exploited, as it could compromise the secure and reliable handling of data required by standards such as GDPR and HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the plugin upload endpoint (`POST /api/plugin/upload`) that include filenames with path traversal sequences such as `../` in the multipart upload's Content-Disposition header.
To detect exploitation attempts on your system or network, you can look for HTTP requests containing filenames with traversal patterns and check for unexpected deletions or file creations outside the intended temporary directories.
Suggested commands to detect potential exploitation attempts include:
- Using network traffic inspection tools (e.g., tcpdump or Wireshark) to filter HTTP POST requests to `/api/plugin/upload` containing `../` in the filename.
- Example tcpdump command to capture such traffic: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /api/plugin/upload' -A 10 | grep '\.\./'`
- On the server, search logs for suspicious filenames with traversal sequences: `grep -r '\.\./' /path/to/budibase/logs`
- Check the filesystem for unexpected deletions or creations in directories outside the normal temporary directory `/tmp/.budibase`.
Note that detection requires monitoring authenticated users with Global Builder privileges, as the vulnerability requires such privileges to exploit.