CVE-2026-30240
Published: 09 March 2026
Summary
CVE-2026-30240 is a critical-severity Path Traversal (CWE-22) vulnerability in Budibase Budibase. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal by requiring validation of user-controlled file paths from icons.json in the ZIP processing endpoint.
Remediates the specific flaw in unsanitized path.join() usage, preventing exploitation through timely patching as advised in the Budibase security advisory.
Enforces logical access controls to restrict the PWA endpoint from reading arbitrary server filesystem locations like /proc/1/environ.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing ZIP endpoint enables T1190 exploitation; directly allows arbitrary local file reads (T1005) including credential files (/proc/1/environ, configs) via T1552.001; server-side upload of contents to S3/MinIO facilitates T1567.002 exfiltration.
NVD Description
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges…
more
to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables — JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.
Deeper analysisAI
CVE-2026-30240 is a path traversal vulnerability (CWE-22, CWE-73) in Budibase, a low-code platform for creating internal tools, workflows, and admin panels. It affects versions 3.31.5 and earlier, specifically in the PWA (Progressive Web App) ZIP processing endpoint at POST /api/pwa/process-zip. The vulnerability arises from the server using unsanitized path.join() with user-controlled input sourced from icons.json within an uploaded ZIP file, enabling the reading of arbitrary files from the server filesystem.
An authenticated user with builder privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious ZIP file, the attacker tricks the server into reading sensitive files such as /proc/1/environ, which exposes environment variables including JWT secrets, database credentials, encryption keys, and API tokens. The server then uploads these file contents to an object store like MinIO or S3, where the attacker can retrieve them via signed URLs, resulting in complete platform compromise with high confidentiality and integrity impacts (CVSS 9.6: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
The Budibase security advisory at https://github.com/Budibase/budibase/security/advisories/GHSA-pqcr-jmfv-c9cp provides details on patches and mitigation steps.
Details
- CWE(s)