Budibase Low-Code Platform Suffers Critical Path Traversal Vulnerability

/HIGH
SCW vulnerabilitycve
Budibase Low-Code Platform Suffers Critical Path Traversal Vulnerability

CVE Notify is flagging a serious security flaw in the open-source low-code platform, Budibase. Versions prior to 3.33.4 are vulnerable to path traversal attacks via the plugin file upload endpoint. According to CVE Notify, an attacker with Global Builder privileges can exploit this by submitting a crafted filename containing directory traversal sequences (like ‘../’) in a multipart upload request to /api/plugin/upload.

This vulnerability allows an attacker to delete arbitrary directories using rmSync and write files to any location accessible by the Node.js process through tarball extraction. The core issue stems from the platform’s failure to sanitize user-supplied filenames before passing them to the createTempFolder() function. This oversight essentially grants attackers a direct line to manipulate the server’s filesystem.

The good news is that Budibase has addressed this vulnerability. CVE Notify confirms that the issue has been patched in version 3.33.4. Users are strongly advised to upgrade to this latest version immediately to mitigate the risk.

What This Means For You

  • Organizations using Budibase should immediately audit their systems for the vulnerable version and prioritize upgrading to 3.33.4 or later. For environments where immediate upgrades aren't feasible, consider implementing strict input validation and file upload sanitization at the network edge or WAF level, specifically blocking any filenames containing path traversal characters.

Related ATT&CK Techniques

T1078.004 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1566.002 Phishing: Spearphishing Attachment Initial Access T1021.001 Remote Services: Remote Desktop Protocol Lateral Movement

Indicators of Compromise

IDTypeIndicator
CVE-2026-35214 Path Traversal Budibase prior to v3.33.4, POST /api/plugin/upload, filename parameter unsanitized, allows arbitrary directory deletion via rmSync and arbitrary file write via tarball extraction.
CVE-2026-35214 Code Injection Budibase prior to v3.33.4, POST /api/plugin/upload, filename parameter unsanitized, allows arbitrary file write via tarball extraction to any filesystem path the Node.js process can access.

By Shimi's Cyber World Editorial

🛠 Recommended Tools

NordVPN Protect your research traffic. Threat protection included.
Our Pick
Proton VPN Secure Core routes traffic through Switzerland, Iceland, and Sweden first.
Recommended
Surfshark Unlimited devices for your security lab. VPN + malware blocker.
Great Value
🛡️
Want the IOCs from this threat? Get structured IOC exports and weekly threat briefs — delivered instantly to your Telegram.
Get My Intel →

Found this interesting? Follow us to stay ahead.

Telegram Channel Follow Shimi Cohen Follow Shimi's Cyber World
Share
Telegram LinkedIn WhatsApp Reddit