What is the CVSS score of CVE-2026-30240?

CVE-2026-30240 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Budibase are affected by CVE-2026-30240?

A critical vulnerability (CVSS 9.6) in Budibase affects organizations using this low-code platform for internal tools and administrative functions.

How to fix or mitigate CVE-2026-30240?

Within 24 hours: Inventory all Budibase instances and document their purpose, data sensitivity, and user count. Implement network isolation of affected systems if possible. Within 7 days: Deploy Web Application Firewall (WAF) rules to restrict Budibase access to essential users only; disable non-essential features and API endpoints. Within 30 days: Evaluate migration to alternative low-code platforms or request vendor timeline for patch; implement enhanced monitoring and logging for all Budibase activity.

Budibase CVE-2026-30240

CRITICAL

Path Traversal (CWE-22)

2026-03-09 security-advisories@github.com

Path Traversal Budibase

9.6

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.6 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

CVE Published

Mar 09, 2026 - 21:16 nvd

CRITICAL 9.6

DescriptionGitHub Advisory

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables - JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.

AnalysisAI

Path traversal in Budibase low-code platform 3.31.5 and earlier allows attackers to read arbitrary files through the application builder.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as builder user

Delivery

Upload crafted PWA ZIP with malicious icons.json

Exploit

Send POST request to /api/pwa/process-zip

Execution

Path traversal reads /proc/1/environ

Impact

Exfiltrate environment variables containing secrets