Budibase Low-Code Platform Suffers Critical Path Traversal Vulnerability

/HIGH
SCW vulnerabilitycve
Budibase Low-Code Platform Suffers Critical Path Traversal Vulnerability

CVE Notify is flagging a serious security flaw in the open-source low-code platform, Budibase. Versions prior to 3.33.4 are vulnerable to path traversal attacks via the plugin file upload endpoint. According to CVE Notify, an attacker with Global Builder privileges can exploit this by submitting a crafted filename containing directory traversal sequences (like β€˜../’) in a multipart upload request to /api/plugin/upload.

This vulnerability allows an attacker to delete arbitrary directories using rmSync and write files to any location accessible by the Node.js process through tarball extraction. The core issue stems from the platform’s failure to sanitize user-supplied filenames before passing them to the createTempFolder() function. This oversight essentially grants attackers a direct line to manipulate the server’s filesystem.

The good news is that Budibase has addressed this vulnerability. CVE Notify confirms that the issue has been patched in version 3.33.4. Users are strongly advised to upgrade to this latest version immediately to mitigate the risk.

What This Means For You

  • Organizations using Budibase should immediately audit their systems for the vulnerable version and prioritize upgrading to 3.33.4 or later. For environments where immediate upgrades aren't feasible, consider implementing strict input validation and file upload sanitization at the network edge or WAF level, specifically blocking any filenames containing path traversal characters.

Related ATT&CK Techniques

T1078.004 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1566.002 Phishing: Spearphishing Attachment Initial Access T1021.001 Remote Services: Remote Desktop Protocol Lateral Movement

πŸ›‘οΈ Detection Rules

1 rule Β· 6 SIEM formats

1 detection rule mapped to MITRE ATT&CK. Free Sigma YAML below.

high T1078.004 Privilege Escalation

Credential Abuse from Breached Vendor β€” CVE-2026-35214

Sigma YAML β€” free preview

Source: Shimi's Cyber World Β· License & reuse

Indicators of Compromise

IDTypeIndicator
CVE-2026-35214 Path Traversal Budibase prior to v3.33.4, POST /api/plugin/upload, filename parameter unsanitized, allows arbitrary directory deletion via rmSync and arbitrary file write via tarball extraction.
CVE-2026-35214 Code Injection Budibase prior to v3.33.4, POST /api/plugin/upload, filename parameter unsanitized, allows arbitrary file write via tarball extraction to any filesystem path the Node.js process can access.

By Shimi's Cyber World Editorial

Related coverage

Featured

Daily Security Digest β€” 2026-05-22

13 vulnerability disclosures (5 Critical, 8 High) and 14 curated intelligence stories from 6 sources.

daily-digestvulnerabilityCVEhigh-severitycwe-88privilege-escalationcwe-863criticalremote-code-executioncwe-434
/SCW Daily Digest /CRITICAL

WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content

CVE-2026-9011 β€” The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs

CVE-2026-8692 β€” The Vedrixa Forms – User Registration Form, Signup Form &

CVE-2026-8692 β€” The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma