CVE-2026-54352
Received Received - Intake
Path Traversal in Budibase via Symlink Exploitation

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for each entry listed in icons.json validates the icon path, opens it, and streams the bytes into MinIO. The resulting object is served back via GET /api/assets/{appId}/pwa/{uuid}.png. [email protected] preserves absolute symlink targets when restoring symlink entries. The icon-source validator at packages/server/src/api/controllers/static/index.ts:259-268 resolves the icon source string against baseDir (path.resolve), checks resolvedSrc.startsWith(baseDir + path.sep) against that string, and calls fs.existsSync(resolvedSrc) which follows symbolic links to confirm the target exists. None of the three calls reject symbolic-link entries. packages/backend-core/src/objectStore/objectStore.ts:302 then calls (await fsp.open(path)).createReadStream() on the resolved path. fsp.open follows the symlink, the target file's bytes stream into MinIO, and the response of the asset-fetch endpoint returns those bytes verbatim. Result: a workspace-level builder reads any file the server process can open. This vulnerability is fixed in 3.39.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-54352
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
budibase budibase to 3.39.9 (exc)
extract-zip extract-zip 2.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.39.9. It involves the handling of uploaded .zip files via the POST /api/pwa/process-zip endpoint. The platform uses [email protected] to extract the .zip file into a temporary directory. However, [email protected] preserves absolute symbolic link (symlink) targets when restoring symlink entries.

The system validates icon paths listed in icons.json by resolving paths and checking if they start with the base directory, but it does not reject symbolic-link entries. When the server opens these paths, it follows the symlinks and streams the target file's bytes into MinIO, which then serves these bytes back via a GET request.

As a result, a workspace-level builder can read any file that the server process has permission to open, potentially exposing sensitive files through this symlink traversal and extraction flaw. This vulnerability is fixed in Budibase version 3.39.9.

Impact Analysis

This vulnerability can have a severe impact because it allows an attacker with workspace-level builder access to read arbitrary files on the server that the server process can open. This can lead to unauthorized disclosure of sensitive information.

  • Confidential data exposure by reading sensitive files.
  • Potential compromise of system security by leaking configuration files, credentials, or other critical data.
  • High severity impact as indicated by the CVSS score of 9.6, with high confidentiality and integrity impact.
Mitigation Strategies

The vulnerability is fixed in Budibase version 3.39.9. The immediate step to mitigate this vulnerability is to upgrade Budibase to version 3.39.9 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart