Budibase Path Traversal (CVE-2026-30240)

Patch now - CVE-2026-30240 is a critical arbitrary file read in Budibase 3.31.5 and earlier that lets an authenticated builder use a path traversal in the PWA ZIP processing endpoint to exfiltrate any server file, including environment variables with JWT keys and database secrets. Upgrade to version 3.31.6 and rotate all credentials immediately.

Overview

A critical security vulnerability has been discovered in the Budibase low-code platform. This flaw, tracked as CVE-2026-30240, allows authenticated users with builder privileges to read sensitive files directly from the server’s filesystem. This can lead to a complete compromise of the Budibase instance and all connected services.

Vulnerability Details

In Budibase versions 3.31.5 and earlier, a specific feature for processing Progressive Web App (PWA) ZIP files contains a path traversal weakness. The vulnerability exists in the /api/pwa/process-zip endpoint. When an authenticated user uploads a specially crafted ZIP file, the server unsafely processes a path specified within it, using an unsanitized path.join() operation. This allows the attacker to direct the server to read any file it has access to.

The most critical target is the /proc/1/environ file on Linux systems, which contains all environment variables for the main process. This typically includes highly sensitive secrets such as JWT signing keys, database connection strings, encryption keys, and API tokens for external services like S3. The server inadvertently uploads the contents of these read files to its configured object store (e.g., MinIO or Amazon S3), where the attacker can then retrieve them via a signed URL.

Impact

The impact of this vulnerability is severe. A single successful exploit can lead to:

• Full Secret Exfiltration: All platform secrets and credentials are exposed.
• Complete Platform Compromise: An attacker can use the stolen secrets to impersonate the application, access or corrupt databases, and decrypt sensitive data.
• Lateral Movement: Compromised database and API credentials can be used to attack other connected internal services.

This constitutes a critical breach of confidentiality and integrity. For organizations dealing with sensitive data, this could trigger regulatory reporting requirements. You can learn more about data breach implications in our breach reports section.

Remediation and Mitigation

Immediate action is required for all Budibase administrators.

1. Patch Immediately: Upgrade Budibase to version 3.31.6 or later without delay. This version contains the necessary fix to properly sanitize file paths.
2. Rotate All Secrets: If you suspect any instance may have been compromised, you must rotate all exposed credentials as a precaution. This includes:
   • JWT secrets
   • Database passwords
   • Encryption keys
   • Any API tokens stored in environment variables
3. Audit Access: Review logs for the /api/pwa/process-zip endpoint for any suspicious activity prior to patching.
4. Principle of Least Privilege: Regularly review and audit user accounts with “builder” or administrative privileges.

Stay informed about critical vulnerabilities like this by following our latest security news. Do not delay in applying this update, as the exploit is straightforward for any authenticated user with builder access.