Total Platform Compromise: Critical 9.6 CVSS Flaws in Budibase Expose Production Secrets

Budibase, the popular open-source low-code platform designed for building internal business applications, has released critical security patches to address two major vulnerabilities. Two critical flaws, CVE-2026-30240 and CVE-2026-31816, have been identified, potentially allowing attackers to bypass authentication and exfiltrate sensitive production secrets.

Perhaps the most alarming of the two is CVE-2026-31816, a vulnerability with a CVSS score of 9.1. The flaw lies in the platform’s authorized() middleware, which is supposed to protect every server-side API endpoint. Due to an unanchored regular expression in the isWebhookEndpoint() function, the system incorrectly validates requests. By simply appending a webhook path pattern—like ?/webhooks/trigger—to the query string of any request, an attacker can trick the server into skipping all authentication and authorization checks.

The Impact:

• Complete Bypass: Attackers gain full access to API endpoints without a username or password.
• Data Exposure: Full CRUD (Create, Read, Update, Delete) access to tables, rows, automations, and plugins.
• Zero Interaction: This is a pure network attack; no “phishing” or user clicks are required to trigger it.

While the first flaw opens the front door, CVE-2026-30240 (CVSS of 9.6) allows those with “Builder” privileges to ransack the house.

This vulnerability exists in the Progressive Web App (PWA) ZIP processing endpoint. By uploading a specially crafted ZIP file containing a malicious icons.json, a user can use unsanitized path.join() inputs to perform a path traversal attack. This allows them to read arbitrary files from the server’s filesystem, including /proc/1/environ—a file that typically houses all environment variables.

The Impact:

• Secret Theft: Attackers can exfiltrate JWT secrets, database credentials, and API tokens.
• Cross-Tenant Risk: On Budibase Cloud, a builder on a single tenant could potentially exfiltrate platform-wide secrets, affecting all customers.
• Live Confirmation: This was confirmed on production systems, where 19 critical secrets—including AWS IAM keys and OpenAI API keys—were successfully exfiltrated.

These vulnerabilities represent a “complete platform compromise”. By leaking the JWT_SECRET, attackers can forge admin tokens for any user, and by stealing the API_ENCRYPTION_KEY, they can decrypt every stored datasource password in the system.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.