Vulnerability Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Budibase | Budibase | <= 3.31.5 |
Related Weaknesses (CWE)
References
- https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cpExploitVendor Advisory
- https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cpExploitVendor Advisory
FAQ
What is CVE-2026-30240?
CVE-2026-30240 is a vulnerability with a CVSS score of 9.6 (CRITICAL). Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint...
How severe is CVE-2026-30240?
CVE-2026-30240 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-30240?
Check the references section above for vendor advisories and patch information. Affected products include: Budibase Budibase.