budibase

v3.39.4 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 6d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ai-app-builder ai-applications crud-app crud-application data-application data-apps

+12 more

internal-tools it-workflows low-code low-code-no-code low-code-platform no-code no-code-platform rest-api-framework sql-gui workflow-apps workflow-automation workflow-engine

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 6d

ReleasePort Layer 1 version 3.39.4 fixes an SSRF vulnerability in the AI table generation upload URL fetch path.

Why it matters: The release patches a high‑severity (severity 95) SSRF flaw affecting the AI table generation endpoint; operators should upgrade immediately to mitigate risk.

Summary

AI summary

Fixes SSRF vulnerability in the AI table generation upload URL fetch path.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes SSRF vulnerability in AI table generation uploadUrl fetch path Fixes SSRF vulnerability in AI table generation uploadUrl fetch path Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix
Bugfix	Medium	Validates linked relationship field names to prevent bugs Validates linked relationship field names to prevent bugs Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixes s3 upload issue reported by @ConorWebb96 Fixes s3 upload issue reported by @ConorWebb96 Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Low	Swaps API Bindings draw default-value for binding-name Swaps API Bindings draw default-value for binding-name Source: llm_adapter@2026-05-28 Confidence: high	—

Full changelog

What's Changed

Fix/s3 upload by @ConorWebb96 in https://github.com/Budibase/budibase/pull/18864
Swaps API Bindings draw default-value for binding-name by @mikesealey in https://github.com/Budibase/budibase/pull/18855
[Bug] Validate linked relationship field names by @adrinr in https://github.com/Budibase/budibase/pull/18861
Fix SSRF in AI table generation uploadUrl fetch path by @adrinr in https://github.com/Budibase/budibase/pull/18866

Full Changelog: https://github.com/Budibase/budibase/compare/3.39.3...3.39.4

Security Fixes

Fix SSRF in AI table generation uploadUrl fetch path

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track budibase

Get notified when new releases ship.

About budibase

AI agents that run your operations. Model agnostic.

All releases →