CVE-2026-54352
Analyzed Analyzed - Analysis Complete

Path Traversal in Budibase via Symlink Exploitation

Vulnerability report for CVE-2026-54352, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for each entry listed in icons.json validates the icon path, opens it, and streams the bytes into MinIO. The resulting object is served back via GET /api/assets/{appId}/pwa/{uuid}.png. [email protected] preserves absolute symlink targets when restoring symlink entries. The icon-source validator at packages/server/src/api/controllers/static/index.ts:259-268 resolves the icon source string against baseDir (path.resolve), checks resolvedSrc.startsWith(baseDir + path.sep) against that string, and calls fs.existsSync(resolvedSrc) which follows symbolic links to confirm the target exists. None of the three calls reject symbolic-link entries. packages/backend-core/src/objectStore/objectStore.ts:302 then calls (await fsp.open(path)).createReadStream() on the resolved path. fsp.open follows the symlink, the target file's bytes stream into MinIO, and the response of the asset-fetch endpoint returns those bytes verbatim. Result: a workspace-level builder reads any file the server process can open. This vulnerability is fixed in 3.39.9.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-30
Generated
2026-07-17
AI Q&A
2026-06-27
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
budibase budibase to 3.39.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.39.9. It involves the handling of uploaded .zip files via the POST /api/pwa/process-zip endpoint. The platform uses [email protected] to extract the .zip file into a temporary directory. However, [email protected] preserves absolute symbolic link (symlink) targets when restoring symlink entries.

The system validates icon paths listed in icons.json by resolving paths and checking if they start with the base directory, but it does not reject symbolic-link entries. When the server opens these paths, it follows the symlinks and streams the target file's bytes into MinIO, which then serves these bytes back via a GET request.

As a result, a workspace-level builder can read any file that the server process has permission to open, potentially exposing sensitive files through this symlink traversal and extraction flaw. This vulnerability is fixed in Budibase version 3.39.9.

Detection Guidance

This vulnerability can be detected by checking if your Budibase server version is prior to 3.39.9 and if it allows uploading .zip files containing symbolic links that point outside the intended directory.

To detect exploitation attempts or presence of malicious symlinks, you can monitor uploads to the POST /api/pwa/process-zip endpoint and inspect the contents of uploaded .zip files for symlinks pointing to sensitive system files.

You can also check if the server process is running with elevated privileges (e.g., as root), which increases risk.

Suggested commands to help detect suspicious symlinks or files on your system include:

  • Use 'find' to locate symbolic links in directories used by Budibase for uploads or temp extraction: find /path/to/budibase/temp -type l -ls
  • Check the target of suspicious symlinks: ls -l /path/to/symlink
  • Monitor network traffic for GET requests to /api/assets/{appId}/pwa/{uuid}.png which may indicate attempts to retrieve streamed files.
  • Audit server logs for POST requests to /api/pwa/process-zip with unusual payload sizes or patterns.
Impact Analysis

This vulnerability can have a severe impact because it allows an attacker with workspace-level builder access to read arbitrary files on the server that the server process can open. This can lead to unauthorized disclosure of sensitive information.

  • Confidential data exposure by reading sensitive files.
  • Potential compromise of system security by leaking configuration files, credentials, or other critical data.
  • High severity impact as indicated by the CVSS score of 9.6, with high confidentiality and integrity impact.
Compliance Impact

This vulnerability allows unauthorized reading of sensitive files on the server, including secrets such as JWT_SECRET, INTERNAL_API_KEY, and database credentials. Exposure of such sensitive information can lead to data breaches and unauthorized access, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive data.

Because the vulnerability enables privilege escalation and potential full system compromise, it increases the risk of unauthorized data disclosure and loss of data integrity, both of which are critical compliance concerns under these standards.

Mitigation Strategies

The vulnerability is fixed in Budibase version 3.39.9. The immediate step to mitigate this vulnerability is to upgrade Budibase to version 3.39.9 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart