CVE-2026-35214
Published: 03 April 2026
Summary
CVE-2026-35214 is a high-severity Path Traversal (CWE-22) vulnerability in Budibase Budibase. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied filenames to block path traversal sequences like ../ in the plugin upload endpoint before passing to createTempFolder().
Mandates timely remediation of flaws like this path traversal vulnerability, as addressed by the patch in Budibase version 3.33.4.
Monitors for unauthorized modifications to software, firmware, and information, detecting arbitrary file writes and directory deletions via rmSync and tarball extraction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web app's plugin upload endpoint (T1190) enables authenticated exploitation for privilege escalation to arbitrary filesystem write/delete (T1068), including direct file/directory deletion via rmSync (T1070.004).
NVD Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload…
more
with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.
Deeper analysisAI
CVE-2026-35214 is a path traversal vulnerability (CWE-22) in Budibase, an open-source low-code platform. In versions prior to 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes user-supplied filenames directly to the createTempFolder() function without sanitizing path traversal sequences like ../. This flaw has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H).
An authenticated attacker with Global Builder privileges can exploit the vulnerability over the network with low complexity and no user interaction. By crafting a multipart upload request with a filename containing ../ sequences, the attacker can delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path accessible by the Node.js process, potentially leading to significant integrity and availability impacts across the scoped components.
The vulnerability has been patched in Budibase version 3.33.4. Mitigation involves upgrading to this version or later. Official resources include the patching commit (https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879), pull request (https://github.com/Budibase/budibase/pull/18240), release tag (https://github.com/Budibase/budibase/releases/tag/3.33.4), and security advisory (https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23).
Details
- CWE(s)