Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.33.4. The issue is in the plugin file upload endpoint (POST /api/plugin/upload), which takes a user-supplied filename and passes it directly to a function called createTempFolder() without sanitizing path traversal sequences like "../".

An attacker who has Global Builder privileges can exploit this by crafting a multipart upload with a filename containing "../" sequences. This allows the attacker to delete arbitrary directories using rmSync and write arbitrary files via tarball extraction to any filesystem path accessible by the Node.js process running Budibase.

This vulnerability has been fixed in Budibase version 3.33.4.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-35214 is a high-severity path traversal vulnerability that allows an attacker with Global Builder privileges to delete arbitrary directories and write arbitrary files anywhere the Node.js process can access. This can lead to integrity and availability impacts, such as deletion of critical directories and potential denial of service.

While the vulnerability does not directly impact confidentiality (no unauthorized reading of data), the ability to modify or delete files arbitrarily can undermine system integrity and availability, which are critical components of compliance frameworks like GDPR and HIPAA.

Specifically, the vulnerability could lead to disruption of services or tampering with system files, which may violate requirements for data integrity, system availability, and secure processing under these regulations.

Therefore, organizations using affected versions of Budibase prior to 3.33.4 may face compliance risks if this vulnerability is exploited, as it could compromise the secure and reliable handling of data required by standards such as GDPR and HIPAA.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the plugin upload endpoint (`POST /api/plugin/upload`) that include filenames with path traversal sequences such as `../` in the multipart upload's Content-Disposition header.

To detect exploitation attempts on your system or network, you can look for HTTP requests containing filenames with traversal patterns and check for unexpected deletions or file creations outside the intended temporary directories.

Suggested commands to detect potential exploitation attempts include:

• Using network traffic inspection tools (e.g., tcpdump or Wireshark) to filter HTTP POST requests to `/api/plugin/upload` containing `../` in the filename.
• Example tcpdump command to capture such traffic: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /api/plugin/upload' -A 10 | grep '\.\./'`
• On the server, search logs for suspicious filenames with traversal sequences: `grep -r '\.\./' /path/to/budibase/logs`
• Check the filesystem for unexpected deletions or creations in directories outside the normal temporary directory `/tmp/.budibase`.

Note that detection requires monitoring authenticated users with Global Builder privileges, as the vulnerability requires such privileges to exploit.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker with Global Builder privileges to delete arbitrary directories and write arbitrary files anywhere on the filesystem accessible to the Node.js process.

Such actions can lead to loss of data, corruption of application files, unauthorized modification of system files, and potentially full compromise of the affected system.

The CVSS score of 8.7 (High) reflects the significant integrity and availability impact of this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.33.4 or later, where the issue has been patched.

Useful 0 Not Useful 0