budibase

v3.38.4 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 20d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

ai-app-builder ai-applications crud-app crud-application data-application data-apps

+12 more

internal-tools it-workflows low-code low-code-no-code low-code-platform no-code no-code-platform rest-api-framework sql-gui workflow-apps workflow-automation workflow-engine

Affected surfaces

auth rbac

ReleasePort's take

Light signal

editorial:auto 13d

Budibase 3.38.4 tightens authentication for webhook schema updates, restricts public API global role changes, and hardens markdown rendering. Includes a branch automation UI fix.

Why it matters: Validate webhook, API, and markdown features in dev before deployment. Apply patch using standard security change control procedures.

Summary

AI summary

Require authentication for webhook schema updates, restrict public API global role changes, and harden markdown rendering.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Require authentication for webhook schema updates. Require authentication for webhook schema updates. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Restrict public API global role changes. Restrict public API global role changes. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Harden markdown rendering to prevent vulnerabilities. Harden markdown rendering to prevent vulnerabilities. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fix branch automation node dragging issue. Fix branch automation node dragging issue. Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

What's Changed

[Security] Require auth for webhook schema updates by @PClmnt in https://github.com/Budibase/budibase/pull/18773
Fix branch automation node dragging by @melohagan in https://github.com/Budibase/budibase/pull/18783
[Security] Restrict public API global role changes by @PClmnt in https://github.com/Budibase/budibase/pull/18771
[Security] Harden markdown rendering by @PClmnt in https://github.com/Budibase/budibase/pull/18770

Full Changelog: https://github.com/Budibase/budibase/compare/3.38.3...3.38.4

Security Fixes

Require auth for webhook schema updates
Restrict public API global role changes
Harden markdown rendering

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track budibase

Get notified when new releases ship.

About budibase

AI agents that run your operations. Model agnostic.

All releases →