Platform
nodejs
Component
node.js
Fixed in
3.33.5
3.33.4
3.33.5
CVE-2026-35214 describes a Path Traversal vulnerability discovered in Budibase, an open-source low-code platform. This flaw allows authenticated attackers with Global Builder privileges to manipulate file paths, potentially leading to arbitrary file deletion and writing. The vulnerability impacts versions of Budibase prior to 3.33.4, and a patch is available in version 3.33.4.
The vulnerability lies within the plugin file upload endpoint. Budibase fails to properly sanitize user-supplied filenames before passing them to the createTempFolder() function. An attacker can leverage this by crafting a multipart upload request containing a malicious filename with path traversal sequences (e.g., ../). This allows them to bypass intended directory restrictions and delete arbitrary files on the server's filesystem using rmSync. Furthermore, the attacker can write arbitrary files through the tarball extraction process, potentially overwriting critical system files or injecting malicious code. The blast radius extends to any location the Node.js process has access to, making this a significant security concern.
CVE-2026-35214 was publicly disclosed on April 3, 2026. There is currently no indication of active exploitation in the wild, but the availability of a public CVE and the relatively straightforward nature of the exploit suggest a potential for future attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it likely that one will emerge.
Exploit Status
EPSS
0.14% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade Budibase to version 3.33.4 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences in the filename parameter. Additionally, restrict the permissions of the Node.js process to the absolute minimum required for Budibase to function, limiting the potential damage from a successful exploit. Carefully review and restrict file upload permissions within the Budibase configuration.
Update Budibase to version 3.33.4 or higher. This version corrects the path traversal vulnerability in plugin upload, preventing arbitrary directory deletion and file writing on the system.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35214 is a Path Traversal vulnerability in Budibase versions prior to 3.33.4, allowing attackers with Global Builder privileges to delete and write files.
You are affected if you are running Budibase version 3.33.4 or earlier and have users with Global Builder privileges.
Upgrade Budibase to version 3.33.4 or later. As a temporary workaround, implement a WAF rule to block requests with path traversal sequences in filenames.
There is currently no confirmed active exploitation, but the vulnerability's nature suggests a potential for future attacks.
Refer to the official Budibase security advisory for detailed information and updates: [https://budibase.com/security/advisories](https://budibase.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.