Skip to content

formbricks

v5.0.0 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 8d Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 5 known CVEs

Topics

experience-management form forms nextjs react reactjs
+10 more
survey survey-analysis survey-data survey-form surveys tailwindcss turborepo typeform typescript xm

Affected surfaces

breaking_upgrade

Summary

AI summary

Broad release touches fix, feat, chore, and deps.

Full changelog

⚠️ Important: Self-hosting Migration Required

Formbricks 5 adds new mandatory infrastructure components (Cube and the Formbricks Hub services) and ships major data-model changes. Please read the migration guide carefully before upgrading.

Formbricks 5 is our biggest release yet. It evolves Formbricks from a pure survey tool into a complete Experience Management (XM) suite — combining survey collection, a unified feedback directory, and cross-survey dashboards in one platform.

What's New in Formbricks 5

🧩 Unify Feedback — a single home for all your customer feedback

  • Feedback Directories: Aggregate responses from any number of surveys and external data sources into one structured directory, giving you a unified view of customer feedback across products and channels.
  • Feedback Sources: Connect surveys (and, going forward, additional sources like CSV imports and third-party tools) to a directory with a few clicks.
  • Similar feedback: Quickly find related responses across your directory while reviewing a record.

📊 Cross-survey Dashboards

  • Build dashboards across entire feedback directories — not just a single survey. Combine NPS, CSAT, CES, ratings, and open-text insights from many surveys in one view.
  • AI-powered chart generation: Describe the chart you want; Formbricks builds it.
  • New question types: First-class CSAT and CES support so they can be aggregated alongside NPS and ratings.

🏢 Workspaces (formerly Projects)

  • "Projects" have been renamed to Workspaces throughout the product to better reflect how teams organize XM programs. Existing data and integrations continue to work; only the terminology and UI have changed.
  • Unified Settings UI with a shared sidebar for organization, workspace, and account settings.

🤖 AI Across the Product

  • AI survey translation for faster multi-language rollouts.
  • Pluggable AI provider support: Bring your own model via AWS Bedrock, Google Vertex AI (with ADC credentials), or Azure OpenAI — configurable per deployment.
  • AI features (translations, chart generation, topic classification) are gated behind licensing checks so admins keep full control.

🛠️ Survey Building & Runtime

  • AI-translated surveys, accessibility improvements (keyboard navigation, focus traps, prefers-reduced-motion support), and numerous fixes to offline mode, the response pipeline, and the survey widget's CSS isolation.

🏗️ Infrastructure & Platform

  • Cube is now a mandatory baseline dependency powering analytics and dashboards.
  • Formbricks Hub services (worker + embeddings runtime) power the unified feedback directory and AI features.
  • BullMQ-based background jobs replace ad-hoc workers — including a fully rebuilt response pipeline and survey scheduler.
  • Envoy gateway for the new feedback-records APIs with built-in rate limiting.
  • RustFS replaces MinIO as the bundled S3-compatible storage for self-hosters.
  • API v3: Survey overview and analytics endpoints have been migrated; v1 remains supported.
  • Numerous security hardening fixes (SSRF protections, CSRF on OAuth flows, body-size limits, export sanitization, step-up auth for sensitive actions, and more).

Enterprise Features

Most of the new XM capabilities — Unify Feedback, Feedback Directories, Dashboards, and the AI features — are enterprise features. Self-hosters will need an updated license with the corresponding feature flags enabled to use them. Get in touch if you'd like to evaluate them.

SDKs

We're also releasing new versions of the Formbricks SDKs alongside this release. All current SDKs remain fully compatible with Formbricks 5 — no forced upgrade is required. If you'd like to move to the newer SDK shape (which uses workspace IDs instead of environment IDs), follow the Workspace ID Migration guide.

Upgrading

Follow the Formbricks 5 migration guide before deploying. The new Cube and Hub services are required, and several database migrations run on first startup.

A massive thank you to everyone who tested the beta and RC releases, opened issues, and contributed PRs. Formbricks 5 wouldn't exist without you. 💙

What's Changed

  • fix: validate "Other" option text on required questions and remove duplicate response entry by @Dhruwang in https://github.com/formbricks/formbricks/pull/7716
  • fix: only show beforeunload warning when offline support is active by @Dhruwang in https://github.com/formbricks/formbricks/pull/7715
  • fix: prevent TTC overcount for multi-question blocks by @jobenjada in https://github.com/formbricks/formbricks/pull/7713
  • revert: enhance welcome card to support video uploads by @jobenjada in https://github.com/formbricks/formbricks/pull/7712
  • feat: add auto-progress mode for rating and NPS surveys by @jobenjada in https://github.com/formbricks/formbricks/pull/7709
  • fix: add missing PostHog events by @pandeymangg in https://github.com/formbricks/formbricks/pull/7722
  • fix: add loading skeleton for responses page by @Dhruwang in https://github.com/formbricks/formbricks/pull/7700
  • fix: fixes unique constraint error with singleUseId and surveyId by @pandeymangg in https://github.com/formbricks/formbricks/pull/7737
  • fix: strip @layer properties block to prevent host page CSS pollution by @mariusbolik in https://github.com/formbricks/formbricks/pull/7685
  • fix: prevent OIDC button text overlap with 'last used' indicator by @HamzaSwitch in https://github.com/formbricks/formbricks/pull/7731
  • fix: prevent offline replay from dropping survey blocks after completion by @Dhruwang in https://github.com/formbricks/formbricks/pull/7743
  • fix: remove dark: variant classes from survey-ui to prevent host page style leakage by @Dhruwang in https://github.com/formbricks/formbricks/pull/7747
  • fix: connect rating/NPS scale labels to label styling settings by @Dhruwang in https://github.com/formbricks/formbricks/pull/7738
  • chore: translation management revamp (scope 1) by @Dhruwang in https://github.com/formbricks/formbricks/pull/7733
  • chore: Add survey to formbricks docs by @harshsbhat in https://github.com/formbricks/formbricks/pull/7746
  • fix: keep sidebar switcher icons round with long labels by @jobenjada in https://github.com/formbricks/formbricks/pull/7756
  • fix: make other option input field mandatory when sole selection by @Dhruwang in https://github.com/formbricks/formbricks/pull/7751
  • fix: prevent environment ID leak in API error responses by @Dhruwang in https://github.com/formbricks/formbricks/pull/7753
  • fix: redirect active project and organization selections by @jobenjada in https://github.com/formbricks/formbricks/pull/7724
  • feat: migrate survey overview to v3 APIs by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/7741
  • fix: mark Identify Customer Goals survey as translatable by @urbalazs in https://github.com/formbricks/formbricks/pull/7566
  • fix: fix duplicate block and misleading subheader in trial conversion template by @nielskaspers in https://github.com/formbricks/formbricks/pull/7560
  • feat: extend auto-progress to single-select question types by @jobenjada in https://github.com/formbricks/formbricks/pull/7725
  • fix: response tag UI issues in response modal by @Dhruwang in https://github.com/formbricks/formbricks/pull/7765
  • fix: prevent split offline responses on restore by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/7767
  • fix: fixes sentry ref issue by @pandeymangg in https://github.com/formbricks/formbricks/pull/7776
  • feat: auto-fill safe attribute key from label by @jobenjada in https://github.com/formbricks/formbricks/pull/7771
  • fix: add accessible dialog title to project limit modal by @jobenjada in https://github.com/formbricks/formbricks/pull/7769
  • chore(deps): bump the npm_and_yarn group across 12 directories with 4 updates by @dependabot[bot] in https://github.com/formbricks/formbricks/pull/7680
  • fix: show oversized upload error when mime type is missing by @jobenjada in https://github.com/formbricks/formbricks/pull/7757
  • feat: Add Turkish (tr) translations by @onwp in https://github.com/formbricks/formbricks/pull/7645
  • fix: Hungarian translation by @urbalazs in https://github.com/formbricks/formbricks/pull/7752
  • fix: patch protobufjs transitive vulnerabilities by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/7790
  • fix: lodash vulnerability by @mattinannt in https://github.com/formbricks/formbricks/pull/7800
  • refactor: use context instead of prop drilling in survey analysis components (#6223) by @arasucar in https://github.com/formbricks/formbricks/pull/7754
  • fix: harden legacy SSO relinking by @xernobyl in https://github.com/formbricks/formbricks/pull/7755
  • feat: replace minio with rustfs by @xernobyl in https://github.com/formbricks/formbricks/pull/7742
  • fix: prevent bypass of single-use survey restriction via v1 API by @aryanghugare in https://github.com/formbricks/formbricks/pull/7735
  • fix: prevent survey widget CSS from polluting host page styles by @Dhruwang in https://github.com/formbricks/formbricks/pull/7805
  • feat: add iframe preview to website embed tab by @Dhruwang in https://github.com/formbricks/formbricks/pull/7791
  • fix: prevent Airtable integration crash when token expires by @Dhruwang in https://github.com/formbricks/formbricks/pull/7811
  • fix: apply plan changes immediately for non-standard plans by @Dhruwang in https://github.com/formbricks/formbricks/pull/7807
  • chore(security): dependency audit — reduce attack surface & resolve all vulnerabilities by @mattinannt in https://github.com/formbricks/formbricks/pull/7801
  • fix: password hash visibility improvement by @xernobyl in https://github.com/formbricks/formbricks/pull/7814
  • fix: prevent SSRF via redirect following in webhook delivery by @pandeymangg in https://github.com/formbricks/formbricks/pull/7877
  • feat: add refetch button to refresh responses table by @Dhruwang in https://github.com/formbricks/formbricks/pull/7808
  • fix: replace organization name placeholder example by @jobenjada in https://github.com/formbricks/formbricks/pull/7832
  • fix: use app.formbricks.com in v1 API docs by @jobenjada in https://github.com/formbricks/formbricks/pull/7894
  • fix(survey-list): reduce v3 overview query cost by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/7812
  • docs: document option ID prefilling by @jobenjada in https://github.com/formbricks/formbricks/pull/7893
  • chore(deps): bump the npm_and_yarn group across 5 directories with 2 updates by @dependabot[bot] in https://github.com/formbricks/formbricks/pull/7834
  • fix: require step-up authorization for account deletion by @xernobyl in https://github.com/formbricks/formbricks/pull/7901
  • fix: allow back navigation to prefilled questions in email embed surveys by @Dhruwang in https://github.com/formbricks/formbricks/pull/7900
  • feat: add PostHog experiment wrappers by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/7899
  • fix: 7817 use fully translated inactive survey headings by @labeebahmad201 in https://github.com/formbricks/formbricks/pull/7836
  • fix: include partial response in trigger description by @jobenjada in https://github.com/formbricks/formbricks/pull/7908
  • fix: removed dead menu item & theme import by @jobenjada in https://github.com/formbricks/formbricks/pull/7909
  • fix: return generic credentials error for SSO-only accounts by @jobenjada in https://github.com/formbricks/formbricks/pull/7911
  • fix: duplicate action class name error by @pandeymangg in https://github.com/formbricks/formbricks/pull/7919
  • fix: reject SSO auto-provisioning when AUTH_SSO_DEFAULT_TEAM_ID is missing by @pandeymangg in https://github.com/formbricks/formbricks/pull/7926
  • fix: outlook preview by @xernobyl in https://github.com/formbricks/formbricks/pull/7803
  • fix: omit replicas when HPA is enabled by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/7934
  • fix: cal and open text fields a11y semantic improvements by @itsjavi in https://github.com/formbricks/formbricks/pull/7936
  • feat: add Linear Releases integration to CI pipeline by @mattinannt in https://github.com/formbricks/formbricks/pull/7921
  • fix: recover incomplete initial setup by @jobenjada in https://github.com/formbricks/formbricks/pull/7912
  • refactor: rename gethasNoOrganizations to getHasNoOrganizations by @mattinannt in https://github.com/formbricks/formbricks/pull/7940
  • fix(security): strip sensitive survey and segment metadata from public client API by @mattinannt in https://github.com/formbricks/formbricks/pull/7931
  • fix: survey runtime accessibility for keyboard controls by @itsjavi in https://github.com/formbricks/formbricks/pull/7927
  • fix: survey modal accessibility issues by using a focus trap by @itsjavi in https://github.com/formbricks/formbricks/pull/7939
  • feat: add PostHog group analytics and feature events by @Dhruwang in https://github.com/formbricks/formbricks/pull/7914
  • fix: sso account deletion password check by @xernobyl in https://github.com/formbricks/formbricks/pull/7930
  • docs: fix env var names and add missing entries to reference table by @harshsbhat in https://github.com/formbricks/formbricks/pull/7964
  • chore: workspace delete confirmation dialog by @xernobyl in https://github.com/formbricks/formbricks/pull/7958
  • fix: fixes webhook ssrf toctou issue by @pandeymangg in https://github.com/formbricks/formbricks/pull/7954
  • chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by @dependabot[bot] in https://github.com/formbricks/formbricks/pull/7977
  • chore: fix broken impressions count by @xernobyl in https://github.com/formbricks/formbricks/pull/7975
  • chore: consolidate CE enterprise trial license links to a single form… by @harshsbhat in https://github.com/formbricks/formbricks/pull/7929
  • docs: add docs for pretty url by @harshsbhat in https://github.com/formbricks/formbricks/pull/7932
  • fix: validate contact_id by @xernobyl in https://github.com/formbricks/formbricks/pull/7984
  • fix(i18n): replace fragmented translation concatenations with complete sentences (ENG-706) by @Dhruwang in https://github.com/formbricks/formbricks/pull/7969
  • fix: scope org-only v1 API key auth by @xernobyl in https://github.com/formbricks/formbricks/pull/7961
  • fix: improve file upload storage errors by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/7978
  • fix: patch security dependency vulnerabilities for main by @mattinannt in https://github.com/formbricks/formbricks/pull/7990
  • fix: Hungarian translation polish (ENG-935) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8000
  • fix(security): reject client-supplied emailVerificationDisabled in signup (ENG-816) by @Dhruwang in https://github.com/formbricks/formbricks/pull/7993
  • fix: clarify signup product updates opt-in by @jobenjada in https://github.com/formbricks/formbricks/pull/7994
  • fix: single-use survey restriction bypass by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/7972
  • fix: fixes displays and responses api about survey status by @pandeymangg in https://github.com/formbricks/formbricks/pull/8007
  • chore: remove all Vercel deployment references by @mattinannt in https://github.com/formbricks/formbricks/pull/7997
  • fix: scope client API rate limits by environment by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/8013
  • docs: add ACCESSIBILITY.md and accessibility issue template by @mattinannt in https://github.com/formbricks/formbricks/pull/8019
  • fix: updates the minimum permission in projectTeam access from read to readWrite by @pandeymangg in https://github.com/formbricks/formbricks/pull/8020
  • fix: rate limit storage uploads per environment by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/8006
  • fix: skip Docker package removal when Docker is already installed by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/7980
  • feat: Formbricks 5 by @Dhruwang in https://github.com/formbricks/formbricks/pull/8017
  • refactor(unify): clarify feedback source terminology and chart builder copy by @itsjavi in https://github.com/formbricks/formbricks/pull/8026
  • chore: A/B Test - Onboarding - Skip "CX Choice" step by @harshsbhat in https://github.com/formbricks/formbricks/pull/7952
  • chore: use direct form link on all "request license" buttons instead of /enterprise-license page by @harshsbhat in https://github.com/formbricks/formbricks/pull/8033
  • chore: A/B Test - Onboarding - Skip theme step by @harshsbhat in https://github.com/formbricks/formbricks/pull/7957
  • chore: A/B test different upgrade banner in trial by @harshsbhat in https://github.com/formbricks/formbricks/pull/7953
  • chore: A/B experiment to test reverse trial copy by @harshsbhat in https://github.com/formbricks/formbricks/pull/8025
  • refactor: consolidate unifyFeedback into feedbackDirectories license flag by @mattinannt in https://github.com/formbricks/formbricks/pull/8034
  • docs: add custom CSS guide for website & app surveys by @jobenjada in https://github.com/formbricks/formbricks/pull/8031
  • fix: flag id for A/B test re onboarding step 1 by @jobenjada in https://github.com/formbricks/formbricks/pull/8035
  • chore: A/B test reduce cog. load in question section by @harshsbhat in https://github.com/formbricks/formbricks/pull/7944
  • fix: use block terminology in conditional logic docs by @jobenjada in https://github.com/formbricks/formbricks/pull/7942
  • fix: seed default contact attribute keys on workspace creation (ENG-929) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8036
  • chore: SSO deletion workflow simplification by @xernobyl in https://github.com/formbricks/formbricks/pull/8009
  • fix: fix sso redirect while deleting account by @xernobyl in https://github.com/formbricks/formbricks/pull/8039
  • fix: harden storage presigned URL issuance by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/8021
  • fix: translate footer links based on survey language (ENG-673) by @mattinannt in https://github.com/formbricks/formbricks/pull/8018
  • feat: make Cube a mandatory baseline dependency in v5 by @mattinannt in https://github.com/formbricks/formbricks/pull/8042
  • chore(deps): bump the npm_and_yarn group across 2 directories with 6 updates by @dependabot[bot] in https://github.com/formbricks/formbricks/pull/8027
  • fix: improve blocked state explanations across UI by @itsjavi in https://github.com/formbricks/formbricks/pull/8038
  • fix: add CSAT and CES summary filter icons (backport #8056) by @itsjavi in https://github.com/formbricks/formbricks/pull/8063
  • fix: sync chart Cube feedback schema (backport #8057 to release/5.0) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8066
  • fix: scope display contact lookup to workspace (ENG-818) [backport release/5.0] by @mattinannt in https://github.com/formbricks/formbricks/pull/8069
  • fix: [Backport] client environment api sdk fixes by @pandeymangg in https://github.com/formbricks/formbricks/pull/8074
  • fix: route Manage Teams and integration OAuth callbacks to settings (backport #8059) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8075
  • fix: gate AI chart generation on smartTools, not dataAnalysis (backport #8060) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8076
  • fix: render scheduled-plan-change description placeholders correctly (backport #8064) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8077
  • fix: require Cube API secret in compose (backport #8071) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8080
  • fix: update Helm chart default image tag (backport #8072) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8081
  • fix: [Backport] responseId client api fix by @pandeymangg in https://github.com/formbricks/formbricks/pull/8083
  • fix: harden Helm env value rendering (backport #8070) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8078
  • fix: show copy icon on legacy environmentId, reintroduce duplicate survey action (backport #8061) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8085
  • fix: [Backport] excel injection backport by @pandeymangg in https://github.com/formbricks/formbricks/pull/8086
  • fix: [Backport] backports removal of timestamps from client responses api by @pandeymangg in https://github.com/formbricks/formbricks/pull/8087
  • fix: backport Cube API secret Helm defaults to 5.0 by @jobenjada in https://github.com/formbricks/formbricks/pull/8088
  • fix: backport settings back navigation to 5.0 by @jobenjada in https://github.com/formbricks/formbricks/pull/8089
  • fix: backport billing-only settings access to 5.0 by @jobenjada in https://github.com/formbricks/formbricks/pull/8090
  • fix: AI translation rich-text editors stay empty (backport #8084) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8091
  • fix: [Backport] adds close button on response error screen by @pandeymangg in https://github.com/formbricks/formbricks/pull/8098
  • fix: chart date range type switch + presets include today (backport #8096) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8097
  • fix: allow enterprise oauth display names by @jobenjada in https://github.com/formbricks/formbricks/pull/8100
  • fix: backport #8101 reserved contact keys and segment errors to 5.0 by @jobenjada in https://github.com/formbricks/formbricks/pull/8103
  • fix: order Helm Hub migrations after Prisma (backport #8104) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8107
  • fix: pin DNS and block redirects on webhook delivery (backport #8095) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8106
  • fix: backport CSAT and CES summary filter icons to 5.0 by @jobenjada in https://github.com/formbricks/formbricks/pull/8058
  • fix: backport removal of isAIDataAnalysisEnabled to v5 by @jobenjada in https://github.com/formbricks/formbricks/pull/8112
  • fix: use Valkey for bundled Helm Redis (backport #8092) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8105
  • fix: [Backport] json payload limit by @pandeymangg in https://github.com/formbricks/formbricks/pull/8115
  • feat: [Backport] cascade delete Hub feedback records on org deletion (#8055) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8116
  • fix: harden Helm release secret lookups by @BhagyaAmarasinghe in https://github.com/formbricks/formbricks/pull/8119
  • fix: [Backport] restore logout and profile access for billing-role users (#8136) by @Dhruwang in https://github.com/formbricks/formbricks/pull/8137

New Contributors

  • @mariusbolik made their first contribution in https://github.com/formbricks/formbricks/pull/7685
  • @HamzaSwitch made their first contribution in https://github.com/formbricks/formbricks/pull/7731
  • @onwp made their first contribution in https://github.com/formbricks/formbricks/pull/7645
  • @arasucar made their first contribution in https://github.com/formbricks/formbricks/pull/7754
  • @labeebahmad201 made their first contribution in https://github.com/formbricks/formbricks/pull/7836

Full Changelog: https://github.com/formbricks/formbricks/compare/4.9.7...5.0.0

Breaking Changes

  • Cube and Formbricks Hub become mandatory baseline services for analytics, dashboards, and AI features.
  • Projects renamed to Workspaces throughout the product; UI and terminology updated accordingly.
  • Database schema migrations run on first startup introducing major data‑model changes (requires migration guide).
  • Minimum Node.js 20.12 required due to new dependencies (Cube, RustFS).

Security Fixes

  • SSRF protections added to webhook delivery and redirect handling.
  • CSRF mitigations for OAuth flows.
  • Body‑size limits enforced across APIs.
  • Export sanitization and step‑up auth gating sensitive actions.
  • Storage presigned URL issuance hardened.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track formbricks

Get notified when new releases ship.

Sign up free

About formbricks

Open Source Qualtrics Alternative

All releases →

Related context

Beta — feedback welcome: [email protected]