Authenticated users with builder privileges can completely compromise the Budibase platform by using a path traversal flaw to steal cryptographic secrets and service credentials.

A path traversal flaw exists in the POST /api/pwa/process-zip endpoint. By crafting a malicious icons.json file inside a ZIP upload, an authenticated builder can force the server to read arbitrary files like /proc/1/environ and upload them to public-facing object storage.

This vulnerability leads to a total platform compromise. By exfiltrating environment variables, an attacker gains access to JWT secrets, database credentials, and API tokens. The CVSS score of 9.6 is justified because the flaw allows a user with limited "builder" permissions to elevate their access to a full system administrator and compromise the underlying infrastructure.

Immediate Action: Update Budibase to the latest version (post-3.31.5) which includes sanitized path joining and input validation for the PWA processing endpoint.

Proactive Monitoring: Monitor MinIO or S3 object stores for unexpected file uploads, and review builder activity logs for suspicious ZIP processing requests.

Compensating Controls: Implement the principle of least privilege by restricting builder access to trusted personnel and rotate all secrets (JWT, DB, API keys) if exploitation is suspected.

Public Exploit Available: false

The ability to exfiltrate the server's environment variables is a "game-over" scenario for any application. Organizations using Budibase must update their installations immediately and consider rotating all platform secrets as a precautionary measure.