External risk intelligence

Budibase ZIP Processing Vulnerability Allows Arbitrary File Read

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-54352

Budibase is a low-code platform commonly deployed as a web application accessible via the network to allow users to build and manage applications. The vulnerable endpoint is part of the API used for application building and asset management, which is a core function of the platform and typically exposed to the users of the web interface.

Path Traversal

Budibase

before 3.39.9

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability in the Budibase low-code platform allows an authenticated user to access and exfiltrate arbitrary files on the server. This issue stems from how the platform processes uploaded zip files, specifically its handling of symbolic links during file extraction and processing, potentially exposing sensitive data.

  • Attackers can read any file the server can access.
  • It impacts a core function of a widely used low-code tool.
  • Confirming if Budibase is used is the primary executive action.

Attack Path

How an attacker could exploit the issue

An attacker with builder privileges could exploit this vulnerability by uploading a specially crafted ZIP file. This file contains a symbolic link that points to an arbitrary file on the server. When the Budibase platform processes this ZIP file, it incorrectly handles the symbolic link, allowing the attacker to read any file accessible by the server process. The content of this file is then streamed back to the attacker through an asset-fetching endpoint.

  • Requires builder access.
  • ZIP file with symbolic link.
  • Read any server file.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, a workspace-level builder could access and exfiltrate any file readable by the Budibase server process, potentially exposing sensitive information stored on the server.

  • Server files could be at risk.
  • Malicious zip uploaded via API.
  • Unauthorized data exfiltration may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Budibase platform's backend is likely managed by the infrastructure or platform team, while application-specific configurations and criticality would fall under application owners. Security and network teams should verify external exposure and implement access controls. The initial step is to identify all Budibase instances, assess their reachability and business impact, and then coordinate remediation with accountable teams.

  • Identify Budibase instances and assess impact.
  • Confirm reachability and business criticality.
  • Plan remediation with accountable owners.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Budibase?

Budibase is an open-source, low-code platform designed to help teams quickly build, automate, and manage internal business applications. It provides tools for creating data-driven interfaces and workflows without requiring extensive manual coding. Because it serves as a central hub for application development, it often holds or interacts with sensitive data, making it a critical component of an organization's software infrastructure.

How does CVE-2026-54352 work?

This vulnerability is a path traversal and improper link resolution issue, categorized as CWE-22 and CWE-59. It occurs because the platform's ZIP extraction and file-handling process fails to block symbolic links. By uploading a crafted ZIP file containing a symlink, an attacker can trick the server into reading files outside of the intended directory and then streaming that file's contents back to the attacker via the asset-fetching API.

Do I need to upload a malicious file to trigger this?

Yes, an attacker must interact with the application by uploading a specifically structured ZIP file through the builder API. Simply visiting the Budibase web interface or using existing features normally will not trigger this vulnerability. The issue is specific to the handling of files during the upload and processing phase, meaning standard application use by end-users does not initiate the flaw.

Is my Budibase instance at risk?

According to Halo Surface Signal, Budibase is typically deployed as a web application, making its management API accessible over the network. If your instance is reachable via the internet, the risk is higher, as an attacker with builder-level credentials could exfiltrate sensitive server files remotely. Even internal-only instances remain vulnerable if an unauthorized user gains builder access to the platform.

How do I secure my environment?

The most effective way to address this vulnerability is to upgrade your Budibase installation to version 3.39.9 or later. Before applying the fix, identify all active Budibase instances in your environment and coordinate with your infrastructure or platform teams to prioritize the update. Once patched, verify that the platform is running the secure version to prevent exploitation of the file-processing mechanism.

References