Budibase Arbitrary File Read Vulnerability via PWA-zip Symlink Upload (CVE-2026-54352)
A critical vulnerability, CVE-2026-54352, in Budibase server allows an authenticated workspace builder to perform arbitrary file reads on the host system by uploading a crafted PWA zip file containing a symbolic link, leading to credential compromise and privilege escalation, potentially enabling a full global administrator takeover.
A critical arbitrary file read vulnerability (CVE-2026-54352) affects Budibase server versions up to 3.39.0 (HEAD feab995, released 2026-05-20). This flaw allows an authenticated workspace builder to read any file accessible by the server process, including highly sensitive configuration files like /data/.env (containing JWT_SECRET, INTERNAL_API_KEY, and database credentials) and system files such as /etc/passwd or /etc/shadow. The vulnerability stems from improper handling of symbolic links within uploaded PWA .zip files by the extract-zip@2.0.1 library, coupled with insufficient validation in Budibase's icon processing logic. When exploited, it can lead to credential disclosure, privilege escalation to global administrator, and even cross-tenant exposure in multi-tenant environments. This vulnerability impacts self-hosted Budibase deployments, especially those running the default Docker image where the Node server executes as root.
Attack Chain
- An attacker gains authenticated access as a workspace builder to a Budibase instance, obtaining necessary cookies and CSRF tokens from
GET /api/global/self. - The attacker crafts a
.ziparchive containing a symbolic link, for example,evil.png, which targets a sensitive file on the server's filesystem, such as/data/.env. - The attacker includes an
icons.jsonfile within the.zipthat references the created symbolic link, for example,{"icons":[{"src":"evil.png", ...}]}. - The attacker sends an HTTP POST request to
/api/pwa/process-zipwith the crafted.zipfile in the request body, using their authenticated session. - The Budibase server, using
extract-zip@2.0.1, extracts the.zipfile into a temporary directory, preserving the absolute target of the symbolic link. - During PWA icon processing, the server's validator (
packages/server/src/api/controllers/static/index.ts:259-268) resolves the icon path, follows the symbolic link usingfs.existsSync, and then opens the target file usingfsp.opento stream its content. - The content of the sensitive target file (e.g.,
/data/.env) is then streamed into MinIO and made available via a new public URL, typicallyGET /api/assets/{appId}/pwa/{uuid}.png. - The attacker retrieves the sensitive file's content by making a GET request to the newly generated PWA asset URL, completing the arbitrary file read.
Impact
Successful exploitation of CVE-2026-54352 leads to the disclosure of critical secrets from the Budibase server's host system. This includes JWT_SECRET, INTERNAL_API_KEY, MINIO_ACCESS_KEY, MINIO_SECRET_KEY, REDIS_PASSWORD, COUCHDB_PASSWORD, and DATABASE_URL from the /data/.env file. With the leaked JWT_SECRET, an attacker can forge HS256 JWTs, escalating privileges from a workspace builder to a global administrator. This allows for full compromise of the Budibase instance, including potential cross-tenant data access on multi-tenant installations. Furthermore, if the Budibase Docker container runs as root (the default configuration), system files like /etc/passwd and /etc/shadow are also exposed, providing additional credential harvesting opportunities.
Recommendation
- Immediately update Budibase server to version
3.39.9or newer to patch CVE-2026-54352. - Rotate all credentials found in
/data/.env, includingJWT_SECRET,INTERNAL_API_KEY,MINIO_*,REDIS_PASSWORD,COUCHDB_PASSWORD, andDATABASE_URL, especially if using self-hosted Budibase deployments. - Implement strong logging and monitoring for attempts to access sensitive file paths mentioned in the IOCs (e.g.,
/data/.env,/etc/passwd,/etc/shadow) via unexpected application endpoints. - Ensure that the Budibase server process does not run with
rootprivileges within its container or host environment, following the principle of least privilege, to limit the blast radius of arbitrary file read vulnerabilities.
Indicators of compromise
3
file_path
| Type | Value |
|---|---|
| file_path | /data/.env |
| file_path | /etc/passwd |
| file_path | /etc/shadow |