CVE Catalog

CVE-2026-54352

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.49%

39th percentile — higher than 39% of all known CVEs

Summary

Budibase before version 3.39.9 contains a vulnerability due to improper validation of symbolic links during ZIP file processing. A builder-level attacker can inject a symbolic link pointing to any file on the system, which will be read and uploaded to MinIO, then served via the API.

Risk Assessment

The risk is that an attacker with builder privileges can read arbitrary server files, potentially leaking sensitive data such as configurations, keys, or user data.

Recommendation

Upgrade Budibase to version 3.39.9 or later immediately. If upgrading is not possible, restrict access to the /api/pwa/process-zip endpoint to trusted users only.

Original NVD description (English source)

Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for each entry listed in icons.json validates the icon path, opens it, and streams the bytes into MinIO. The resulting object is served back via GET /api/assets/{appId}/pwa/{uuid}.png. [email protected] preserves absolute symlink targets when restoring symlink entries. The icon-source validator at packages/server/src/api/controllers/static/index.ts:259-268 resolves the icon source string against baseDir (path.resolve), checks resolvedSrc.startsWith(baseDir + path.sep) against that string, and calls fs.existsSync(resolvedSrc) which follows symbolic links to confirm the target exists. None of the three calls reject symbolic-link entries. packages/backend-core/src/objectStore/objectStore.ts:302 then calls (await fsp.open(path)).createReadStream() on the resolved path. fsp.open follows the symlink, the target file's bytes stream into MinIO, and the response of the asset-fetch endpoint returns those bytes verbatim. Result: a workspace-level builder reads any file the server process can open. This vulnerability is fixed in 3.39.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS