CVE-2026-30240
📋 TL;DR
This path traversal vulnerability in Budibase allows authenticated users with builder privileges to read arbitrary server files, including sensitive environment variables containing JWT secrets, database credentials, and API tokens. Attackers can exfiltrate all cryptographic secrets in a single request, leading to complete platform compromise. All Budibase deployments running vulnerable versions are affected.
💻 Affected Systems
- Budibase
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete platform takeover with exposure of all secrets (JWT, database, encryption keys, API tokens), enabling lateral movement, data theft, and persistent backdoor access.
Likely Case
Credential theft leading to unauthorized access to databases, object storage, and other integrated services, potentially resulting in data exfiltration and service disruption.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and secret management are implemented, though sensitive data exposure remains possible.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via crafted ZIP file with malicious icons.json.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.31.6 or later
Vendor Advisory: https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp
Restart Required: Yes
Instructions:
1. Update Budibase to version 3.31.6 or later. 2. Restart all Budibase services. 3. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Disable PWA ZIP processing endpoint
allTemporarily block or disable the vulnerable endpoint to prevent exploitation.
Configure web server (nginx/apache) to block POST /api/pwa/process-zip
Use firewall rules to block access to this endpoint
Restrict builder privileges
allLimit user accounts with builder privileges to only trusted personnel.
Review and reduce number of users with builder role
Implement strict access controls for builder accounts
🧯 If You Can't Patch
- Implement network segmentation to isolate Budibase servers from sensitive backend systems.
- Rotate all exposed secrets (JWT, database credentials, API tokens, encryption keys) immediately.
🔍 How to Verify
Check if Vulnerable:
Check Budibase version; if running 3.31.5 or earlier, assume vulnerable. Review logs for suspicious POST requests to /api/pwa/process-zip.Check Version:
Check Budibase admin panel or run: docker ps | grep budibase (if containerized)Verify Fix Applied:
Confirm version is 3.31.6 or later. Test that path traversal attempts via crafted ZIP files are blocked.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /api/pwa/process-zip from single user
- Unusual file access patterns in object storage logs
- Errors containing path traversal attempts in server logs
Network Indicators:
- Large ZIP file uploads to PWA endpoint followed by object storage retrieval requests
- Unusual outbound traffic to external storage services
SIEM Query:
source="budibase" AND (url="/api/pwa/process-zip" OR message="path traversal")