Plattform
nodejs
Komponente
node.js
Behoben in
3.33.5
3.33.4
3.33.5
CVE-2026-35214 describes a Path Traversal vulnerability discovered in Budibase, an open-source low-code platform. This flaw allows authenticated attackers with Global Builder privileges to manipulate file paths, potentially leading to arbitrary file deletion and writing. The vulnerability impacts versions of Budibase prior to 3.33.4, and a patch is available in version 3.33.4.
The impact of this vulnerability is significant due to the potential for complete system compromise. An attacker can leverage the flawed plugin file upload endpoint to craft a malicious multipart upload containing path traversal sequences (e.g., ../). This allows them to bypass intended file system restrictions and delete critical system files or overwrite existing configurations. Successful exploitation could lead to denial of service, data loss, or even remote code execution if the attacker can overwrite executable files. The requirement for Global Builder privileges limits the immediate scope, but this role often grants extensive permissions within the Budibase environment, expanding the potential blast radius.
CVE-2026-35214 was publicly disclosed on 2026-04-03. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.7 (HIGH) indicates a significant potential for exploitation if a PoC is developed and widely adopted.
Budibase deployments where users have Global Builder privileges are at the highest risk. Shared hosting environments running Budibase are particularly vulnerable, as a compromised user account could potentially impact the entire host. Organizations relying on Budibase for sensitive data or critical business processes should prioritize patching.
• linux / server: Monitor Node.js process logs for suspicious file deletion or creation activity. Use lsof or fuser to identify processes accessing unusual file paths.
lsof | grep /path/to/suspicious/file• generic web: Examine access logs for POST requests to /api/plugin/upload with filenames containing ../ sequences.
grep 'POST /api/plugin/upload.*\.\\.' access.log• windows / supply-chain: Monitor PowerShell execution logs for commands related to file manipulation or tarball extraction within the Budibase process. Use Windows Defender to scan for suspicious files created during the upload process.
disclosure
Exploit-Status
EPSS
0.14% (35% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-35214 is to immediately upgrade Budibase to version 3.33.4 or later. If an immediate upgrade is not feasible, consider implementing stricter file system permissions to limit the Node.js process's access to sensitive directories. Web Application Firewall (WAF) rules can be configured to block requests containing suspicious path traversal sequences in the filename. Monitor Budibase logs for unusual file deletion or modification activity. After upgrading, confirm the fix by attempting a plugin upload with a filename containing path traversal sequences (e.g., ../../../../etc/passwd) and verifying that the upload fails with an appropriate error message.
Actualice Budibase a la versión 3.33.4 o superior. Esta versión corrige la vulnerabilidad de path traversal en la carga de plugins, evitando la eliminación arbitraria de directorios y la escritura de archivos en el sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35214 is a Path Traversal vulnerability in Budibase versions prior to 3.33.4, allowing attackers with Global Builder privileges to delete and write files.
You are affected if you are running Budibase version 3.33.4 or earlier and have users with Global Builder privileges.
Upgrade Budibase to version 3.33.4 or later. As a temporary workaround, implement a WAF rule to block requests with path traversal sequences in filenames.
There is currently no confirmed active exploitation, but the vulnerability's nature suggests a potential for future attacks.
Refer to the official Budibase security advisory for detailed information and updates: [https://budibase.com/security/advisories](https://budibase.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.