Vulnerability-Lookup

CVE-2026-35214 (GCVE-0-2026-35214)

Vulnerability from cvelistv5 – Published: 2026-04-03 15:43 – Updated: 2026-04-03 16:04

Title

Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write

Summary

Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.

Severity

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/Budibase/budibase/security/adv…	x_refsource_CONFIRM
https://github.com/Budibase/budibase/pull/18240	x_refsource_MISC
https://github.com/Budibase/budibase/commit/6344d…	x_refsource_MISC
https://github.com/Budibase/budibase/releases/tag…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Budibase	budibase	Affected: < 3.33.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35214",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-03T16:04:18.609938Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-03T16:04:36.168Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "budibase",
          "vendor": "Budibase",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.33.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-03T15:43:12.426Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23"
        },
        {
          "name": "https://github.com/Budibase/budibase/pull/18240",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Budibase/budibase/pull/18240"
        },
        {
          "name": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879"
        },
        {
          "name": "https://github.com/Budibase/budibase/releases/tag/3.33.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"
        }
      ],
      "source": {
        "advisory": "GHSA-2wfh-rcwf-wh23",
        "discovery": "UNKNOWN"
      },
      "title": "Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-35214",
    "datePublished": "2026-04-03T15:43:12.426Z",
    "dateReserved": "2026-04-01T18:48:58.937Z",
    "dateUpdated": "2026-04-03T16:04:36.168Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-35214",
      "date": "2026-05-31",
      "epss": "0.00061",
      "percentile": "0.19171"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-35214\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-03T16:16:41.607\",\"lastModified\":\"2026-04-08T21:19:13.480\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.33.4\",\"matchCriteriaId\":\"B316A29C-7C2F-4102-ACF6-DDB06B3D0AD5\"}]}]}],\"references\":[{\"url\":\"https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Budibase/budibase/pull/18240\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/Budibase/budibase/releases/tag/3.33.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-35214\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-03T16:04:18.609938Z\"}}}], \"references\": [{\"url\": \"https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-03T16:04:29.253Z\"}}], \"cna\": {\"title\": \"Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write\", \"source\": {\"advisory\": \"GHSA-2wfh-rcwf-wh23\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Budibase\", \"product\": \"budibase\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.33.4\"}]}], \"references\": [{\"url\": \"https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23\", \"name\": \"https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Budibase/budibase/pull/18240\", \"name\": \"https://github.com/Budibase/budibase/pull/18240\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879\", \"name\": \"https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Budibase/budibase/releases/tag/3.33.4\", \"name\": \"https://github.com/Budibase/budibase/releases/tag/3.33.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-03T15:43:12.426Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-35214\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-03T16:04:36.168Z\", \"dateReserved\": \"2026-04-01T18:48:58.937Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-03T15:43:12.426Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-35214

Vulnerability from fkie_nvd - Published: 2026-04-03 16:16 - Updated: 2026-04-08 21:19

Severity

8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879	Patch
security-advisories@github.com	https://github.com/Budibase/budibase/pull/18240	Issue Tracking, Patch
security-advisories@github.com	https://github.com/Budibase/budibase/releases/tag/3.33.4	Product, Release Notes
security-advisories@github.com	https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	budibase	budibase	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:budibase:budibase:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B316A29C-7C2F-4102-ACF6-DDB06B3D0AD5",
              "versionEndExcluding": "3.33.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4."
    }
  ],
  "id": "CVE-2026-35214",
  "lastModified": "2026-04-08T21:19:13.480",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-03T16:16:41.607",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/Budibase/budibase/pull/18240"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-2WFH-RCWF-WH23

Vulnerability from github – Published: 2026-04-04 06:04 – Updated: 2026-04-04 06:04

Summary

Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write

Details

Summary

The plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access.

Severity

Attack Vector: Network — exploitable via the plugin upload HTTP API
Attack Complexity: Low — no special conditions; a single crafted multipart request suffices
Privileges Required: High — requires Global Builder role (GLOBAL_BUILDER permission)
User Interaction: None
Scope: Changed — the plugin upload feature is scoped to a temp directory, but the traversal escapes to the host filesystem
Confidentiality Impact: None — the vulnerability enables deletion and writing, not reading
Integrity Impact: High — attacker can delete arbitrary directories and write arbitrary files via tarball extraction
Availability Impact: High — recursive deletion of application or system directories causes denial of service

Severity Rationale

Despite the real filesystem impact, severity is bounded by the requirement for Global Builder privileges (PR:H), which is the highest non-admin role in Budibase. In self-hosted deployments the Global Builder may already have server access, further reducing practical impact. In cloud/multi-tenant deployments the impact is more significant as it could affect the host infrastructure.

Affected Component

packages/server/src/api/controllers/plugin/file.ts — fileUpload() (line 15)
packages/server/src/utilities/fileSystem/filesystem.ts — createTempFolder() (lines 78-91)

Description

Unsanitized filename flows into filesystem operations

In packages/server/src/api/controllers/plugin/file.ts, the uploaded file's name is used directly after stripping the .tar.gz suffix:

// packages/server/src/api/controllers/plugin/file.ts:8-19
export async function fileUpload(file: KoaFile) {
  if (!file.name || !file.path) {
    throw new Error("File is not valid - cannot upload.")
  }
  if (!file.name.endsWith(".tar.gz")) {
    throw new Error("Plugin must be compressed into a gzipped tarball.")
  }
  const path = createTempFolder(file.name.split(".tar.gz")[0])
  await extractTarball(file.path, path)

  return await getPluginMetadata(path)
}

The file.name originates from the Content-Disposition header's filename field in the multipart upload, parsed by formidable (via koa-body 4.2.0). Formidable does not sanitize path traversal sequences from filenames.

The createTempFolder function in packages/server/src/utilities/fileSystem/filesystem.ts uses path.join() which resolves ../ sequences, then performs destructive filesystem operations:

// packages/server/src/utilities/fileSystem/filesystem.ts:78-91
export const createTempFolder = (item: string) => {
  const path = join(budibaseTempDir(), item)
  try {
    // remove old tmp directories automatically - don't combine
    if (fs.existsSync(path)) {
      fs.rmSync(path, { recursive: true, force: true })
    }
    fs.mkdirSync(path)
  } catch (err: any) {
    throw new Error(`Path cannot be created: ${err.message}`)
  }

  return path
}

The budibaseTempDir() returns /tmp/.budibase (from packages/backend-core/src/objectStore/utils.ts:33). With a filename like ../../etc/target.tar.gz, path.join("/tmp/.budibase", "../../etc/target") resolves to /etc/target.

Inconsistent defenses confirm the gap

The codebase is aware of the risk in similar paths:

Safe path in utils.ts: The downloadUnzipTarball function (for NPM/GitHub/URL plugin sources) generates a random name server-side: typescript // packages/server/src/api/controllers/plugin/index.ts:68 const name = "PLUGIN_" + Math.floor(100000 + Math.random() * 900000) This is safe because name never contains user input.
Safe path in objectStore.ts: Other uses of budibaseTempDir() use UUID-generated names: typescript // packages/backend-core/src/objectStore/objectStore.ts:546 const outputPath = join(budibaseTempDir(), v4())
Sanitization exists but is not applied: The codebase has sanitizeKey() in objectStore.ts for sanitizing object store paths, but no equivalent is applied to createTempFolder's input.

The file upload path is the only caller of createTempFolder that passes unsanitized user input.

Execution chain

Authenticated Global Builder sends POST /api/plugin/upload with a multipart file whose Content-Disposition filename contains path traversal (e.g., ../../etc/target.tar.gz)
koa-body/formidable parses the upload, setting file.name to the raw filename from the header
controller.upload → sdk.plugins.processUploaded() → fileUpload(file)
.endsWith(".tar.gz") check passes (the suffix is present)
.split(".tar.gz")[0] extracts ../../etc/target
createTempFolder("../../etc/target") is called
path.join("/tmp/.budibase", "../../etc/target") resolves to /etc/target
fs.rmSync("/etc/target", { recursive: true, force: true }) — deletes the target directory recursively
fs.mkdirSync("/etc/target") — creates a directory at the traversed path
extractTarball(file.path, "/etc/target") — extracts attacker-controlled tarball contents to the traversed path

Proof of Concept

# Create a minimal tarball with a test file
mkdir -p /tmp/plugin-poc && echo "pwned" > /tmp/plugin-poc/test.txt
tar czf /tmp/poc-plugin.tar.gz -C /tmp/plugin-poc .

# Upload with a traversal filename targeting /tmp/pwned (non-destructive demo)
curl -X POST 'http://localhost:10000/api/plugin/upload' \
  -H 'Cookie: <global_builder_session_cookie>' \
  -F "file=@/tmp/poc-plugin.tar.gz;filename=../../tmp/pwned.tar.gz"

# Result: server executes:
#   rm -rf /tmp/pwned        (if exists)
#   mkdir /tmp/pwned
#   tar xzf <upload> -C /tmp/pwned
# Verify: ls /tmp/pwned/test.txt

Impact

Arbitrary directory deletion: rmSync with { recursive: true, force: true } deletes any directory the Node.js process can access, including application data directories
Arbitrary file write: Tarball extraction writes attacker-controlled files to any writable path, potentially overwriting application code, configuration, or system files
Denial of service: Deleting critical directories (e.g., the application's data directory, node_modules, or system directories) crashes the application
Potential code execution: In containerized deployments (common for Budibase) where Node.js runs as root, an attacker could overwrite startup scripts or application code to achieve remote code execution on subsequent restarts

Recommended Remediation

Option 1: Sanitize at `createTempFolder` (preferred — protects all callers)

import { join, resolve } from "path"

export const createTempFolder = (item: string) => {
  const tempDir = budibaseTempDir()
  const resolved = resolve(tempDir, item)

  // Ensure the resolved path is within the temp directory
  if (!resolved.startsWith(tempDir + "/") && resolved !== tempDir) {
    throw new Error("Invalid path: directory traversal detected")
  }

  try {
    if (fs.existsSync(resolved)) {
      fs.rmSync(resolved, { recursive: true, force: true })
    }
    fs.mkdirSync(resolved)
  } catch (err: any) {
    throw new Error(`Path cannot be created: ${err.message}`)
  }

  return resolved
}

Option 2: Sanitize at the upload handler (defense-in-depth)

Strip path components from the filename before use:

import path from "path"

export async function fileUpload(file: KoaFile) {
  if (!file.name || !file.path) {
    throw new Error("File is not valid - cannot upload.")
  }
  if (!file.name.endsWith(".tar.gz")) {
    throw new Error("Plugin must be compressed into a gzipped tarball.")
  }
  // Strip directory components from the filename
  const safeName = path.basename(file.name).split(".tar.gz")[0]
  const dir = createTempFolder(safeName)
  await extractTarball(file.path, dir)

  return await getPluginMetadata(dir)
}

Both options should ideally be applied together for defense-in-depth.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Severity

8.7 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@budibase/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.33.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:04:19Z",
    "nvd_published_at": "2026-04-03T16:16:41Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe plugin file upload endpoint (`POST /api/plugin/upload`) passes the user-supplied filename directly to `createTempFolder()` without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing `../` to delete arbitrary directories via `rmSync` and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access.\n\n## Severity\n\n- **Attack Vector:** Network \u2014 exploitable via the plugin upload HTTP API\n- **Attack Complexity:** Low \u2014 no special conditions; a single crafted multipart request suffices\n- **Privileges Required:** High \u2014 requires Global Builder role (`GLOBAL_BUILDER` permission)\n- **User Interaction:** None\n- **Scope:** Changed \u2014 the plugin upload feature is scoped to a temp directory, but the traversal escapes to the host filesystem\n- **Confidentiality Impact:** None \u2014 the vulnerability enables deletion and writing, not reading\n- **Integrity Impact:** High \u2014 attacker can delete arbitrary directories and write arbitrary files via tarball extraction\n- **Availability Impact:** High \u2014 recursive deletion of application or system directories causes denial of service\n\n### Severity Rationale\n\n Despite the real filesystem impact, severity is bounded by the requirement for Global Builder privileges (PR:H), which is the highest non-admin role in Budibase. In self-hosted deployments the Global Builder may already have server access, further reducing practical impact. In cloud/multi-tenant deployments the impact is more significant as it could affect the host infrastructure.\n\n## Affected Component\n\n- `packages/server/src/api/controllers/plugin/file.ts` \u2014 `fileUpload()` (line 15)\n- `packages/server/src/utilities/fileSystem/filesystem.ts` \u2014 `createTempFolder()` (lines 78-91)\n\n## Description\n\n### Unsanitized filename flows into filesystem operations\n\nIn `packages/server/src/api/controllers/plugin/file.ts`, the uploaded file\u0027s name is used directly after stripping the `.tar.gz` suffix:\n\n```typescript\n// packages/server/src/api/controllers/plugin/file.ts:8-19\nexport async function fileUpload(file: KoaFile) {\n  if (!file.name || !file.path) {\n    throw new Error(\"File is not valid - cannot upload.\")\n  }\n  if (!file.name.endsWith(\".tar.gz\")) {\n    throw new Error(\"Plugin must be compressed into a gzipped tarball.\")\n  }\n  const path = createTempFolder(file.name.split(\".tar.gz\")[0])\n  await extractTarball(file.path, path)\n\n  return await getPluginMetadata(path)\n}\n```\n\nThe `file.name` originates from the `Content-Disposition` header\u0027s `filename` field in the multipart upload, parsed by formidable (via koa-body 4.2.0). Formidable does not sanitize path traversal sequences from filenames.\n\nThe `createTempFolder` function in `packages/server/src/utilities/fileSystem/filesystem.ts` uses `path.join()` which resolves `../` sequences, then performs destructive filesystem operations:\n\n```typescript\n// packages/server/src/utilities/fileSystem/filesystem.ts:78-91\nexport const createTempFolder = (item: string) =\u003e {\n  const path = join(budibaseTempDir(), item)\n  try {\n    // remove old tmp directories automatically - don\u0027t combine\n    if (fs.existsSync(path)) {\n      fs.rmSync(path, { recursive: true, force: true })\n    }\n    fs.mkdirSync(path)\n  } catch (err: any) {\n    throw new Error(`Path cannot be created: ${err.message}`)\n  }\n\n  return path\n}\n```\n\nThe `budibaseTempDir()` returns `/tmp/.budibase` (from `packages/backend-core/src/objectStore/utils.ts:33`). With a filename like `../../etc/target.tar.gz`, `path.join(\"/tmp/.budibase\", \"../../etc/target\")` resolves to `/etc/target`.\n\n### Inconsistent defenses confirm the gap\n\nThe codebase is aware of the risk in similar paths:\n\n1. **Safe path in `utils.ts`**: The `downloadUnzipTarball` function (for NPM/GitHub/URL plugin sources) generates a random name server-side:\n   ```typescript\n   // packages/server/src/api/controllers/plugin/index.ts:68\n   const name = \"PLUGIN_\" + Math.floor(100000 + Math.random() * 900000)\n   ```\n   This is safe because `name` never contains user input.\n\n2. **Safe path in `objectStore.ts`**: Other uses of `budibaseTempDir()` use UUID-generated names:\n   ```typescript\n   // packages/backend-core/src/objectStore/objectStore.ts:546\n   const outputPath = join(budibaseTempDir(), v4())\n   ```\n\n3. **Sanitization exists but is not applied**: The codebase has `sanitizeKey()` in `objectStore.ts` for sanitizing object store paths, but no equivalent is applied to `createTempFolder`\u0027s input.\n\nThe file upload path is the only caller of `createTempFolder` that passes unsanitized user input.\n\n### Execution chain\n\n1. Authenticated Global Builder sends `POST /api/plugin/upload` with a multipart file whose `Content-Disposition` filename contains path traversal (e.g., `../../etc/target.tar.gz`)\n2. koa-body/formidable parses the upload, setting `file.name` to the raw filename from the header\n3. `controller.upload` \u2192 `sdk.plugins.processUploaded()` \u2192 `fileUpload(file)`\n4. `.endsWith(\".tar.gz\")` check passes (the suffix is present)\n5. `.split(\".tar.gz\")[0]` extracts `../../etc/target`\n6. `createTempFolder(\"../../etc/target\")` is called\n7. `path.join(\"/tmp/.budibase\", \"../../etc/target\")` resolves to `/etc/target`\n8. `fs.rmSync(\"/etc/target\", { recursive: true, force: true })` \u2014 **deletes the target directory recursively**\n9. `fs.mkdirSync(\"/etc/target\")` \u2014 **creates a directory at the traversed path**\n10. `extractTarball(file.path, \"/etc/target\")` \u2014 **extracts attacker-controlled tarball contents to the traversed path**\n\n## Proof of Concept\n\n```bash\n# Create a minimal tarball with a test file\nmkdir -p /tmp/plugin-poc \u0026\u0026 echo \"pwned\" \u003e /tmp/plugin-poc/test.txt\ntar czf /tmp/poc-plugin.tar.gz -C /tmp/plugin-poc .\n\n# Upload with a traversal filename targeting /tmp/pwned (non-destructive demo)\ncurl -X POST \u0027http://localhost:10000/api/plugin/upload\u0027 \\\n  -H \u0027Cookie: \u003cglobal_builder_session_cookie\u003e\u0027 \\\n  -F \"file=@/tmp/poc-plugin.tar.gz;filename=../../tmp/pwned.tar.gz\"\n\n# Result: server executes:\n#   rm -rf /tmp/pwned        (if exists)\n#   mkdir /tmp/pwned\n#   tar xzf \u003cupload\u003e -C /tmp/pwned\n# Verify: ls /tmp/pwned/test.txt\n```\n\n## Impact\n\n- **Arbitrary directory deletion**: `rmSync` with `{ recursive: true, force: true }` deletes any directory the Node.js process can access, including application data directories\n- **Arbitrary file write**: Tarball extraction writes attacker-controlled files to any writable path, potentially overwriting application code, configuration, or system files\n- **Denial of service**: Deleting critical directories (e.g., the application\u0027s data directory, node_modules, or system directories) crashes the application\n- **Potential code execution**: In containerized deployments (common for Budibase) where Node.js runs as root, an attacker could overwrite startup scripts or application code to achieve remote code execution on subsequent restarts\n\n## Recommended Remediation\n\n### Option 1: Sanitize at `createTempFolder` (preferred \u2014 protects all callers)\n\n```typescript\nimport { join, resolve } from \"path\"\n\nexport const createTempFolder = (item: string) =\u003e {\n  const tempDir = budibaseTempDir()\n  const resolved = resolve(tempDir, item)\n\n  // Ensure the resolved path is within the temp directory\n  if (!resolved.startsWith(tempDir + \"/\") \u0026\u0026 resolved !== tempDir) {\n    throw new Error(\"Invalid path: directory traversal detected\")\n  }\n\n  try {\n    if (fs.existsSync(resolved)) {\n      fs.rmSync(resolved, { recursive: true, force: true })\n    }\n    fs.mkdirSync(resolved)\n  } catch (err: any) {\n    throw new Error(`Path cannot be created: ${err.message}`)\n  }\n\n  return resolved\n}\n```\n\n### Option 2: Sanitize at the upload handler (defense-in-depth)\n\nStrip path components from the filename before use:\n\n```typescript\nimport path from \"path\"\n\nexport async function fileUpload(file: KoaFile) {\n  if (!file.name || !file.path) {\n    throw new Error(\"File is not valid - cannot upload.\")\n  }\n  if (!file.name.endsWith(\".tar.gz\")) {\n    throw new Error(\"Plugin must be compressed into a gzipped tarball.\")\n  }\n  // Strip directory components from the filename\n  const safeName = path.basename(file.name).split(\".tar.gz\")[0]\n  const dir = createTempFolder(safeName)\n  await extractTarball(file.path, dir)\n\n  return await getPluginMetadata(dir)\n}\n```\n\nBoth options should ideally be applied together for defense-in-depth.\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
  "id": "GHSA-2wfh-rcwf-wh23",
  "modified": "2026-04-04T06:04:19Z",
  "published": "2026-04-04T06:04:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35214"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/pull/18240"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Budibase/budibase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-35214 (GCVE-0-2026-35214)

FKIE_CVE-2026-35214

GHSA-2WFH-RCWF-WH23

Summary

Severity

Severity Rationale

Affected Component

Description

Unsanitized filename flows into filesystem operations

Inconsistent defenses confirm the gap

Execution chain

Proof of Concept

Impact

Recommended Remediation

Option 1: Sanitize at createTempFolder (preferred — protects all callers)

Option 2: Sanitize at the upload handler (defense-in-depth)

Credit

Tags

Sightings

Nomenclature

Option 1: Sanitize at `createTempFolder` (preferred — protects all callers)