CVE-2026-35214 Overview
CVE-2026-35214 is a path traversal vulnerability in Budibase, an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access.
Critical Impact
Authenticated attackers with Global Builder privileges can achieve arbitrary file write and directory deletion on the underlying server, potentially leading to complete system compromise or denial of service.
Affected Products
- Budibase versions prior to 3.33.4
- Self-hosted Budibase deployments with plugin upload functionality enabled
- Environments where Global Builder privileges are assigned to untrusted users
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-35214 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35214
Vulnerability Analysis
This vulnerability stems from improper input validation in the plugin file upload functionality of Budibase. The POST /api/plugin/upload endpoint accepts multipart file uploads for plugin installation. The uploaded filename is passed directly to the createTempFolder() function without any sanitization of path traversal sequences such as ../. This allows an attacker to escape the intended upload directory and manipulate files elsewhere on the filesystem.
The vulnerability enables two distinct attack vectors: first, the unsanitized path can trigger rmSync operations on arbitrary directories during cleanup operations; second, the tarball extraction process can write files to arbitrary filesystem locations accessible by the Node.js process. This combination of directory deletion and arbitrary file write capabilities represents a significant security risk.
Root Cause
The root cause is a classic CWE-22 (Path Traversal) vulnerability where user-controlled input (the filename from the multipart upload) is used to construct filesystem paths without proper validation or sanitization. The createTempFolder() function trusts the filename parameter implicitly, allowing directory traversal sequences to be interpreted by the underlying filesystem operations.
Attack Vector
The attack is network-based and requires authentication with Global Builder privileges. An attacker must:
- Authenticate to the Budibase instance with Global Builder role
- Craft a malicious multipart POST request to /api/plugin/upload
- Include a filename containing path traversal sequences (e.g., ../../../etc/cron.d/malicious)
- Submit the crafted tarball containing malicious files
The following code shows the security patch that addresses this vulnerability:
import {
createTempFolder,
+ deleteFolderFileSystem,
getPluginMetadata,
extractTarball,
} from "../../../utilities/fileSystem"
Source: GitHub Commit Update
Additional changes were made to the GitHub plugin handler:
-import { getPluginMetadata } from "../../../utilities/fileSystem"
+import {
+ deleteFolderFileSystem,
+ getPluginMetadata,
+} from "../../../utilities/fileSystem"
import fetch from "node-fetch"
import { downloadUnzipTarball } from "./utils"
Source: GitHub Commit Update
Detection Methods for CVE-2026-35214
Indicators of Compromise
- Unusual POST requests to /api/plugin/upload containing ../ sequences in filenames
- Unexpected file modifications outside the Budibase plugin directories
- Evidence of arbitrary file writes in system directories such as /etc, /var, or application directories
- Missing or deleted directories that should exist in the application structure
Detection Strategies
- Monitor HTTP request logs for plugin upload requests containing path traversal patterns (../, ..%2f, ..%5c)
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized changes
- Review audit logs for plugin upload activities by Global Builder accounts
- Deploy web application firewall (WAF) rules to detect and block path traversal attempts
Monitoring Recommendations
- Enable verbose logging for the Budibase plugin upload endpoint
- Configure alerts for any file operations outside expected plugin directories
- Monitor Node.js process file access patterns using system auditing tools (auditd on Linux)
- Track Global Builder account activities and plugin installation events
How to Mitigate CVE-2026-35214
Immediate Actions Required
- Upgrade Budibase to version 3.33.4 or later immediately
- Review audit logs for any suspicious plugin upload activities prior to patching
- Restrict Global Builder privileges to trusted administrators only
- Consider temporarily disabling plugin upload functionality until the patch is applied
Patch Information
Budibase has released version 3.33.4 which addresses this vulnerability. The fix implements proper path sanitization in the plugin upload handler, preventing directory traversal attacks. Organizations should upgrade immediately by following the standard Budibase update procedures.
For detailed patch information, refer to:
Workarounds
- Disable the plugin upload functionality by restricting access to /api/plugin/upload at the reverse proxy or firewall level
- Revoke Global Builder privileges from non-essential users until patching is complete
- Implement network segmentation to limit the impact of potential file write attacks
- Deploy a WAF rule to block requests containing path traversal sequences in multipart file uploads
# Example nginx configuration to block path traversal in plugin uploads
location /api/plugin/upload {
# Block requests with path traversal patterns
if ($request_body ~* "\.\.\/|\.\.\\") {
return 403;
}
# Restrict access to specific IPs until patched
allow 10.0.0.0/8;
deny all;
proxy_pass http://budibase_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
