Skip to content

twenty

v2.4.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 21d Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

crm crm-system customer graphql javascript marketing
+8 more
monorepo nestjs postgresql react reactjs sales typescript web

Affected surfaces

deps rce_ssrf

ReleasePort's take

Moderate signal
editorial:auto 13d

v2.4.0 fixes FTP command injection via CRLF in basic-ftp and secures sendEmail endpoints. Billing migrates from Stripe metering (breaking change).

Why it matters: Patch v2.4.0 immediately to fix FTP command injection in basic-ftp. Update now if using FTP connections; review Stripe billing migration requirements.

Summary

AI summary

Basic‑FTP FTP command injection vulnerability fixed.

Changes in this release

Security Medium

fix: basic-ftp has FTP Command injection via CRLF

fix: basic-ftp has FTP Command injection via CRLF

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Protect sendEmail endpoint and thread user context through logic function executor

Protect sendEmail endpoint and thread user context through logic function executor

Source: llm_adapter@2026-05-21

Confidence: low
Breaking Medium

Billing - Migrate from Stripe metering

Billing - Migrate from Stripe metering

Source: llm_adapter@2026-05-21

Confidence: low
Breaking Medium

External contributor auto-draft and dispatch pr-review event type

External contributor auto-draft and dispatch pr-review event type

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Add defineApplicationRole method

Add defineApplicationRole method

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

feat(sdk): warn when local server image is behind latest

feat(sdk): warn when local server image is behind latest

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

feat: add email forwarding message channel

feat: add email forwarding message channel

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

feat(public-domain): bind public domains to apps + reorganize settings

feat(public-domain): bind public domains to apps + reorganize settings

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Add description to oAuth_only app created

Add description to oAuth_only app created

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Feature Medium

Detail steps during create twenty app

Detail steps during create twenty app

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Dependency Medium

chore(front): move mocked-metadata helpers under src/testing

chore(front): move mocked-metadata helpers under src/testing

Source: llm_adapter@2026-05-21

Confidence: low
Performance Medium

Simplify dispatch pr review

Simplify dispatch pr review

Source: llm_adapter@2026-05-21

Confidence: low
Deprecation Medium

Billing - remove default feature flag

Billing - remove default feature flag

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

fix: workspace member "me" filters now work in dashboard widgets

fix: workspace member "me" filters now work in dashboard widgets

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

fix: Use settings table rows and detail page for app connections

fix: Use settings table rows and detail page for app connections

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

fix: validate enum values before opening transaction in alterEnumValues

fix: validate enum values before opening transaction in alterEnumValues

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

fix(messaging): reset sync state when IMAP/SMTP/CalDAV credentials are updated

fix(messaging): reset sync state when IMAP/SMTP/CalDAV credentials are updated

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fix plan-required modal issue

Fix plan-required modal issue

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Bugfix Medium

Fix docs apps navigation

Fix docs apps navigation

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Refactor Medium

refactor: scope ApplicationRegistrationService findOneById to tenant rows

refactor: scope ApplicationRegistrationService findOneById to tenant rows

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

Improved create-twenty-app documentation for AI coding agents

Improved create-twenty-app documentation for AI coding agents

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20347

i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20347

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

What's Changed

  • chore(front): move mocked-metadata helpers under src/testing by @charlesBochet in https://github.com/twentyhq/twenty/pull/20341
  • Add description to oAuth_only app created by @martmull in https://github.com/twentyhq/twenty/pull/20336
  • Fix plan-required modal issue by @etiennejouan in https://github.com/twentyhq/twenty/pull/20346
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20347
  • chore: bump version to 2.4.0 by @twenty-pr[bot] in https://github.com/twentyhq/twenty/pull/20345
  • Oxlint ignore twenty-version constant by @prastoin in https://github.com/twentyhq/twenty/pull/20350
  • Improved create-twenty-app documentation for AI coding agents by @Bredo in https://github.com/twentyhq/twenty/pull/20325
  • fix: workspace member "me" filters now work in dashboard widgets by @QuantumByteMaster in https://github.com/twentyhq/twenty/pull/20266
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20353
  • External contributor auto-draft and dispatch pr-review event type by @prastoin in https://github.com/twentyhq/twenty/pull/20329
  • Fix auto draft workflow by @prastoin in https://github.com/twentyhq/twenty/pull/20357
  • Billing - Migrate from Stripe metering by @etiennejouan in https://github.com/twentyhq/twenty/pull/20298
  • Fix docs apps navigation by @dev111-actor in https://github.com/twentyhq/twenty/pull/20359
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20362
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20366
  • Billing - remove default feature flag by @etiennejouan in https://github.com/twentyhq/twenty/pull/20365
  • fix: Use settings table rows and detail page for app connections by @bitloi in https://github.com/twentyhq/twenty/pull/20257
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20372
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20373
  • Add defineApplicationRole method by @abdulrahmancodes in https://github.com/twentyhq/twenty/pull/20314
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20375
  • Detail steps during create twenty app by @martmull in https://github.com/twentyhq/twenty/pull/20374
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20378
  • [Website] Reintroduce the product page. by @mabdullahabaid in https://github.com/twentyhq/twenty/pull/20349
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20385
  • chore: sync AI model catalog from models.dev by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20392
  • i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20384
  • fix: handle widgets with missing universalConfiguration in 2.3 delete-gauge-widgets command by @charlesBochet in https://github.com/twentyhq/twenty/pull/20393
  • fix: validate enum values before opening transaction in alterEnumValues by @Weiko in https://github.com/twentyhq/twenty/pull/20376
  • fix: basic-ftp has FTP Command injection via CRLF by @mabdullahabaid in https://github.com/twentyhq/twenty/pull/20396
  • Protect sendEmail endpoint and thread user context through logic function executor by @martmull in https://github.com/twentyhq/twenty/pull/20369
  • Simplify dispatch pr review by @prastoin in https://github.com/twentyhq/twenty/pull/20397
  • feat(sdk): warn when local server image is behind latest by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20352
  • Isolate twenty apps from nx project by @martmull in https://github.com/twentyhq/twenty/pull/20406
  • refactor: scope ApplicationRegistrationService findOneById to tenant rows by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20408
  • feat: add email forwarding message channel by @FelixMalfait in https://github.com/twentyhq/twenty/pull/19535
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20411
  • Prevent non-admin users from impersonating admin users by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20412
  • [Website] Codebase cleanup and SEO improvements. by @mabdullahabaid in https://github.com/twentyhq/twenty/pull/20415
  • fix: scroll AI chat to bottom on side panel reopen by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20413
  • Reserve inbound subdomain for SES by @neo773 in https://github.com/twentyhq/twenty/pull/20414
  • i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20418
  • fix(messaging): reset sync state when IMAP/SMTP/CalDAV credentials are updated by @fucx in https://github.com/twentyhq/twenty/pull/20405
  • feat(public-domain): bind public domains to apps + reorganize settings by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20360
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20428
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20429
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20431
  • [Website] Extract HomeVisual into shared AppPreview section. by @mabdullahabaid in https://github.com/twentyhq/twenty/pull/20432
  • i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20434

New Contributors

  • @Bredo made their first contribution in https://github.com/twentyhq/twenty/pull/20325
  • @dev111-actor made their first contribution in https://github.com/twentyhq/twenty/pull/20359
  • @fucx made their first contribution in https://github.com/twentyhq/twenty/pull/20405

Full Changelog: https://github.com/twentyhq/twenty/compare/v2.3.0...v2.4.0

Security Fixes

  • Fix: basic-ftp has FTP Command injection via CRLF
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track twenty

Get notified when new releases ship.

Sign up free

About twenty

Building a modern alternative to Salesforce, powered by the community.

All releases →

Related context

Earlier breaking changes

  • v2.8.0 Introduces a new permission flags system defined by apps
  • v2.8.0 Permission flags system replaces previous permission model
  • v2.7.0 Unify connected account permissions.
  • v2.7.0 Encrypt `ConnectedAccount` connectionParameters field.
  • v2.6.0 Rename permissionFlag to rolePermissionFlag and add catalog/backfill

Beta — feedback welcome: [email protected]