PatchSiren cyber security CVE debrief
CVE-2026-54352 Budibase CVE debrief
CVE-2026-54352 is a critical vulnerability in Budibase, an open-source low-code platform. The vulnerability allows a workspace-level builder to read any file the server process can open. This is possible due to a flaw in the `POST /api/pwa/process-zip` endpoint, which accepts a builder-uploaded .zip file, extracts it, and then streams the bytes of the extracted files into MinIO. The issue arises because [email protected] preserves absolute symlink targets, and the icon-source validator does not properly reject symbolic-link entries. As a result, an attacker can exploit this vulnerability to read sensitive files on the server. The vulnerability has a CVSS score of 9.6 and is classified as CRITICAL. It was published on June 26, 2026, and modified on June 29, 2026.
- Vendor
- Budibase
- Product
- Unknown
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-26
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-26
- Advisory updated
- 2026-06-29
Who should care
Budibase users and administrators should be aware of this vulnerability and take immediate action to patch their systems. This vulnerability can be exploited by a workspace-level builder, which makes it a critical issue for organizations using Budibase. Additionally, security teams and vulnerability managers should prioritize this vulnerability due to its high CVSS score and potential impact on the organization.
Technical summary
The vulnerability is caused by a flaw in the `POST /api/pwa/process-zip` endpoint, which accepts a builder-uploaded .zip file and extracts it using [email protected]. The extracted files are then streamed into MinIO, and the icon-source validator does not properly reject symbolic-link entries. This allows an attacker to read any file on the server that the server process can open. The vulnerability is fixed in version 3.39.9 of Budibase.
Defensive priority
This vulnerability should be prioritized due to its high CVSS score of 9.6 and its potential impact on the organization. Budibase users and administrators should take immediate action to patch their systems.
Recommended defensive actions
- Apply the patch: Upgrade to Budibase version 3.39.9 or later to fix the vulnerability.
- Review and update: Review the Budibase documentation and update the configuration to ensure that the patch is properly applied.
- Monitor and audit: Monitor the system for suspicious activity and perform regular audits to detect potential exploitation.
- Implement compensating controls: Implement compensating controls, such as access controls and file system permissions, to limit the impact of the vulnerability.
- Verify and validate: Verify and validate that the patch has been successfully applied and that the system is no longer vulnerable.
Evidence notes
The vulnerability is documented in the CVE record and the NVD detail page. The source item URL provides additional information about the vulnerability, including the CVSS vector and weaknesses. The reference URL provides information about the fix in version 3.39.9 of Budibase.
Official resources
-
CVE-2026-54352 CVE record
CVE.org
-
CVE-2026-54352 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.