Cyber Posture

CVE-2026-35214

HighPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
EPSS Score 0.0016 36.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload…

more

with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of user-supplied filenames to block path traversal sequences like ../ in the plugin upload endpoint before passing to createTempFolder().

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of flaws like this path traversal vulnerability, as addressed by the patch in Budibase version 3.33.4.

SI-7 Software, Firmware, and Information Integrity good match
detect

Monitors for unauthorized modifications to software, firmware, and information, detecting arbitrary file writes and directory deletions via rmSync and tarball extraction.

Security SummaryAI

CVE-2026-35214 is a path traversal vulnerability (CWE-22) in Budibase, an open-source low-code platform. In versions prior to 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes user-supplied filenames directly to the createTempFolder() function without sanitizing path traversal sequences like ../. This flaw has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H).

An authenticated attacker with Global Builder privileges can exploit the vulnerability over the network with low complexity and no user interaction. By crafting a multipart upload request with a filename containing ../ sequences, the attacker can delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path accessible by the Node.js process, potentially leading to significant integrity and availability impacts across the scoped components.

The vulnerability has been patched in Budibase version 3.33.4. Mitigation involves upgrading to this version or later. Official resources include the patching commit (https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879), pull request (https://github.com/Budibase/budibase/pull/18240), release tag (https://github.com/Budibase/budibase/releases/tag/3.33.4), and security advisory (https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23).

Details

CWE(s)
CWE-22

Affected Products

budibase
budibase
≤ 3.33.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing web app's plugin upload endpoint (T1190) enables authenticated exploitation for privilege escalation to arbitrary filesystem write/delete (T1068), including direct file/directory deletion via rmSync (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References