Plataforma
nodejs
Componente
budibase
Corrigido em
3.31.6
CVE-2026-30240 is a critical path traversal vulnerability discovered in Budibase, a low-code platform for building internal tools. This flaw allows authenticated users with builder privileges to read arbitrary files from the server's filesystem, potentially exposing sensitive information. The vulnerability impacts versions of Budibase up to and including 3.31.5, and a patch is available.
The impact of CVE-2026-30240 is severe due to the potential for unauthorized access to sensitive data. An attacker exploiting this vulnerability could read files like /proc/1/environ, which contains environment variables. These variables often include critical secrets such as JWT (JSON Web Token) secrets, database credentials, encryption keys, and API tokens. Successful exploitation could lead to complete compromise of the Budibase instance, allowing the attacker to access and manipulate data, escalate privileges, and potentially pivot to other systems on the network. This vulnerability shares similarities with other path traversal exploits where unsanitized user input is used to construct file paths, leading to unintended file access.
CVE-2026-30240 was publicly disclosed on 2026-03-09. The vulnerability's severity is confirmed as CRITICAL (CVSS 9.6). Currently, there are no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation makes it a high-priority concern. It is not listed on the CISA KEV catalog as of this writing.
Organizations using Budibase for internal tool development and deployment are at risk, particularly those with builder roles granted to multiple users. Shared hosting environments where multiple Budibase instances share the same server filesystem are especially vulnerable, as a compromise of one instance could lead to access to data from other instances. Legacy Budibase configurations with default or weak credentials also increase the risk.
• nodejs / server: Monitor logs for requests to /api/pwa/process-zip with unusual or unexpected file paths in the icons.json payload. Look for attempts to access files outside the expected directory.
grep -r 'path/outside/expected/directory' /var/log/budibase/*• linux / server: Use lsof to monitor file access by the Budibase process. Look for access to sensitive files like /proc/1/environ.
lsof -p $(pgrep budibase) | grep /proc/1/environ• generic web: Use curl to test the /api/pwa/process-zip endpoint with crafted icons.json payloads attempting to read arbitrary files. Check the response for file content.
curl -X POST -d '{"icons": [{"url": "/etc/passwd"}]}' http://<budibase_host>/api/pwa/process-zipdisclosure
Status do Exploit
EPSS
0.03% (percentil 10%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-30240 is to upgrade Budibase to a version with the security patch. Consult the official Budibase advisory for the latest recommended version. If immediate upgrading is not possible, consider implementing temporary workarounds. While a direct WAF rule is difficult due to the nature of path traversal, strict input validation on the /api/pwa/process-zip endpoint is crucial. Monitor file system access logs for unusual activity. Review and restrict user privileges to minimize the potential impact of a successful attack. After upgrade, confirm the vulnerability is resolved by attempting to access a restricted file via the vulnerable endpoint and verifying access is denied.
Actualice Budibase a una versión posterior a la 3.31.5. Esto solucionará la vulnerabilidad de path traversal en el procesamiento de archivos ZIP de la PWA.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-30240 is a critical path traversal vulnerability in Budibase versions up to 3.31.5, allowing authenticated users to read arbitrary files, potentially exposing sensitive data like JWT secrets and database credentials.
You are affected if you are running Budibase version 3.31.5 or earlier. Immediately assess your environment and apply the necessary patch.
Upgrade Budibase to the latest patched version as recommended in the official Budibase security advisory. Implement temporary workarounds like input validation if immediate upgrading is not possible.
While there are no confirmed active exploits currently, the vulnerability's ease of exploitation makes it a high-priority concern and a potential target for attackers.
Refer to the official Budibase security advisory for detailed information and remediation steps. Check the Budibase website and security announcement channels for updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.