Skip to content

budibase

v3.38.1 Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 22d Developer Productivity
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 6 known CVEs

Topics

ai-app-builder ai-applications crud-app crud-application data-application data-apps
+12 more
internal-tools it-workflows low-code low-code-no-code low-code-platform no-code no-code-platform rest-api-framework sql-gui workflow-apps workflow-automation workflow-engine

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal
editorial:auto 13d

Budibase 3.38.1 patches multiple security hardening measures including prototype pollution bypass and view scope enforcement for row actions, alongside new features and dependency updates.

Why it matters: Security hardening focused on view scopes, datasource access control, and REST redirect handling. For deployments using row actions or custom datasources, test this release in dev before production to verify continued functionality.

Summary

AI summary

Enforce view scope for row action triggers, closing a security vulnerability.

Changes in this release

Security Medium

Fix prototype pollution bypass in view calculation validation

Fix prototype pollution bypass in view calculation validation

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Remove unused global user onboarding endpoint

Remove unused global user onboarding endpoint

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Enforce view scope for row action triggers

Enforce view scope for row action triggers

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Require builder access for datasource updates

Require builder access for datasource updates

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Validate legacy view calculations

Validate legacy view calculations

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Harden REST datasource redirect handling

Harden REST datasource redirect handling

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Recover exited SQS in single image

Recover exited SQS in single image

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Display usage for queries in automations

Display usage for queries in automations

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

State variables now searchable via state selector

State variables now searchable via state selector

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Handle SharePoint file delete actions

Handle SharePoint file delete actions

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Make themes per-app, adjust fonts, allow app font selection

Make themes per-app, adjust fonts, allow app font selection

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Emit error events for action failures

Emit error events for action failures

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Add increment/decrement controls for number input fields

Add increment/decrement controls for number input fields

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

Bump hono from 4.12.14 to 4.12.18

Bump hono from 4.12.14 to 4.12.18

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

Build dependencies updated across 1 directory with 3 updates

Build dependencies updated across 1 directory with 3 updates

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Stop processing attachments on workspace update

Stop processing attachments on workspace update

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fix mime type display in agent knowledge builder

Fix mime type display in agent knowledge builder

Source: llm_adapter@2026-05-21

Confidence: high
Full changelog

What's Changed

  • Stop processing attachments on workspace update by @deanhannigan in https://github.com/Budibase/budibase/pull/18724
  • fix: mime type display in agent knowledge builder by @Dakuan in https://github.com/Budibase/budibase/pull/18746
  • Feat/recover exited sqs in single image by @calexiou in https://github.com/Budibase/budibase/pull/18728
  • Display usage for queries in automations by @devin-ai-integration[bot] in https://github.com/Budibase/budibase/pull/18627
  • Bump hono from 4.12.14 to 4.12.18 in the all-non-major-security group across 1 directory by @dependabot[bot] in https://github.com/Budibase/budibase/pull/18737
  • build(deps): bump the all-non-major-security group across 1 directory with 3 updates by @dependabot[bot] in https://github.com/Budibase/budibase/pull/18756
  • Fix prototype pollution bypass in view calculation validation by @cubic-dev-ai[bot] in https://github.com/Budibase/budibase/pull/18759
  • State variables searchable state selector by @ConorWebb96 in https://github.com/Budibase/budibase/pull/18758
  • feat: handle sharepoint file delete by @Dakuan in https://github.com/Budibase/budibase/pull/18721
  • make themes per-app rather than per-workspace, adjust default fonts and allow app font selection by @andz-bb in https://github.com/Budibase/budibase/pull/18743
  • Emit error events for action failures by @jvcalderon in https://github.com/Budibase/budibase/pull/18757
  • [Security] Remove unused global user onboarding endpoint by @PClmnt in https://github.com/Budibase/budibase/pull/18752
  • Add increment decrement controls for number input fields by @ConorWebb96 in https://github.com/Budibase/budibase/pull/18734
  • [Security] Enforce view scope for row action triggers by @PClmnt in https://github.com/Budibase/budibase/pull/18754
  • [Security] Require builder access for datasource updates by @PClmnt in https://github.com/Budibase/budibase/pull/18753
  • [Security] Validate legacy view calculations by @PClmnt in https://github.com/Budibase/budibase/pull/18755
  • [Security] Harden REST datasource redirect handling by @PClmnt in https://github.com/Budibase/budibase/pull/18751

New Contributors

  • @devin-ai-integration[bot] made their first contribution in https://github.com/Budibase/budibase/pull/18627

Full Changelog: https://github.com/Budibase/budibase/compare/3.38.0...3.38.1

Security Fixes

  • Fix prototype pollution bypass in view calculation validation
  • Remove unused global user onboarding endpoint (Security)
  • Enforce view scope for row action triggers (Security)
  • Require builder access for datasource updates (Security)
  • Validate legacy view calculations (Security)
  • Harden REST datasource redirect handling (Security)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track budibase

Get notified when new releases ship.

Sign up free

About budibase

AI agents that run your operations. Model agnostic.

All releases →

Related context

Beta — feedback welcome: [email protected]