budibase

v3.38.2 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 21d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

ai-app-builder ai-applications crud-app crud-application data-application data-apps

+12 more

internal-tools it-workflows low-code low-code-no-code low-code-platform no-code no-code-platform rest-api-framework sql-gui workflow-apps workflow-automation workflow-engine

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal

editorial:auto 13d

Version 3.38.2 of Budibase now requires admin access for SCIM routes, invalidates user caches after bulk role updates, and blocks active‑content attachment uploads.

Why it matters: Enforce admin restriction on SCIM endpoints immediately; invalidate caches post‑bulk updates to avoid stale auth; block active‑content attachments to mitigate injection risks. No version bounds or deadlines are specified.

Summary

AI summary

Require admin access for SCIM routes, invalidate user cache after bulk role updates, and block active content attachment uploads.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	User cache invalidated after bulk role updates to prevent stale auth. User cache invalidated after bulk role updates to prevent stale auth. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Admin access required for SCIM routes; restricts user provisioning access. Admin access required for SCIM routes; restricts user provisioning access. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Active content attachment uploads blocked; prevents injection attacks. Active content attachment uploads blocked; prevents injection attacks. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature
Feature	Medium	Context usage indicator displayed in agent chat interface. Context usage indicator displayed in agent chat interface. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Action type breakdown added to actions quota reporting. Action type breakdown added to actions quota reporting. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Telegram added as new deployment channel option. Telegram added as new deployment channel option. Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Medium	Packages marked private; build script added for internal build. Packages marked private; build script added for internal build. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

What's Changed

Mark packages as private and add build script by @adrinr in https://github.com/Budibase/budibase/pull/18766
[Security] Invalidate user cache after bulk role updates by @PClmnt in https://github.com/Budibase/budibase/pull/18762
[Security] Require admin access for SCIM routes by @PClmnt in https://github.com/Budibase/budibase/pull/18760
Show context usage indicator in agent chat by @PClmnt in https://github.com/Budibase/budibase/pull/18744
[Security] Block active content attachment uploads by @PClmnt in https://github.com/Budibase/budibase/pull/18763
Add breakdown by action type to the actions quota by @jvcalderon in https://github.com/Budibase/budibase/pull/18769
Add Telegram deployment channel by @PClmnt in https://github.com/Budibase/budibase/pull/18582

Full Changelog: https://github.com/Budibase/budibase/compare/3.38.1...3.38.2

Security Fixes

Invalidate user cache after bulk role updates
Require admin access for SCIM routes
Block active content attachment uploads

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track budibase

Get notified when new releases ship.

About budibase

AI agents that run your operations. Model agnostic.

All releases →