CRITICAL🇵🇱 Wersja polska

CVE-2026-30240

CVSS 9.6v3.1pub. 2026-03-09upd. 2026-03-13

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
  • Budibase

    APP
    Budibase
    ≤ 3.31.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-54350CRITICAL10.0PL ✓ten sam produkt

SQL/NoSQL Injection w Budibase — nieautoryzowany odczyt i zapis danych

CVE-2026-54352CRITICAL9.6PL ✓ten sam produkt

Budibase: path traversal przez symlink w endpoint przetwarzania ZIP

CVE-2026-41428CRITICAL9.1PL ✓ten sam produkt

Budibase: pominięcie uwierzytelnienia przez manipulację query string

CVE-2026-35216CRITICAL9.0PL ✓ten sam produkt

Budibase: nieuwierzytelniony RCE przez publiczny webhook i krok Bash

CVE-2026-31818CRITICAL9.6PL ✓ten sam produkt

SSRF w Budibase — nieaktywna ochrona blacklisty IP umożliwia dowolne żądania