CVE-2026-54352
published 2026-06-26CVE-2026-54352: Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a…
PriorityP260critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.47%
37.0th percentile
Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for each entry listed in icons.json validates the icon path, opens it, and streams the bytes into MinIO. The resulting object is served back via GET /api/assets/{appId}/pwa/{uuid}.png. [email protected] preserves absolute symlink targets when restoring symlink entries. The icon-source validator at packages/server/src/api/controllers/static/index.ts:259-268 resolves the icon source string against baseDir (path.resolve), checks resolvedSrc.startsWith(baseDir + path.sep) against that string, and calls fs.existsSync(resolvedSrc) which follows symbolic links to confirm the target exists. None of the three calls reject symbolic-link entries. packages/backend-core/src/objectStore/objectStore.ts:302 then calls (await fsp.open(path)).createReadStream() on the resolved path. fsp.open follows the symlink, the target file's bytes stream into MinIO, and the response of the asset-fetch endpoint returns those bytes verbatim. Result: a workspace-level builder reads any file the server process can open. This vulnerability is fixed in 3.39.9.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| budibase | budibase | < 3.39.9 | 3.39.9 |
| budibase | server | >= 0 < 3.39.9 | 3.39.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
budibase up to 3.39.8 /api/pwa/process-zip createReadStream path traversal (GHSA-w7mq-r738-x278 / EUVD-2026-39910)
vuldb·2026-06-27·CVSS 9.6
CVE-2026-54352 [CRITICAL] budibase up to 3.39.8 /api/pwa/process-zip createReadStream path traversal (GHSA-w7mq-r738-x278 / EUVD-2026-39910)
A vulnerability marked as critical has been reported in budibase up to 3.39.8. Affected by this issue is the function createReadStream of the file /api/pwa/process-zip. The manipulation leads to path traversal.
This vulnerability is documented as CVE-2026-54352. The attack can be initiated remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
GHSA
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
ghsa·2026-06-22
CVE-2026-54352 [CRITICAL] CWE-22 Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
## Summary
`POST /api/pwa/process-zip` at `packages/server/src/api/routes/static.ts:24` accepts a builder-uploaded `.zip`, extracts it with `[email protected]` into a temp directory, then for each entry listed in `icons.json` validates the icon path, opens it, and streams the bytes into MinIO. The resulting object is served back via `GET /api/assets/{appId}/pwa/{uuid}.png`.
`[email protected]` preserves absolute symlink targets when restoring symlink entries. The icon-source validator at `packages/server/src/api/controllers/static/index.ts:259-268` resolves the icon source string against `baseDir` (`path.resolve`), checks `resolvedSrc.startsWith(baseDir + path.sep)` against that string, and calls `fs.exists
No detection rules found.
No public exploits indexed.
2026-06-26
Published