twenty

v2.7.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 9d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

crm crm-system customer graphql javascript marketing

+8 more

monorepo nestjs postgresql react reactjs sales typescript web

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 9d

The release bumps @xmldom/xmldom to 0.8.13 to address a security vulnerability and encrypts the `ConnectedAccount` connectionParameters field, unifies connected‑account permissions, deprecates the standard object delete operation, adds idempotent CLI key‑rotation, and introduces JWT signing‑key rotation.

Why it matters: Security fix: upgrade @xmldom/xmldom to 0.8.13 immediately; encryption change requires updating data model handling before migration; permission unification alters access control logic; deprecation of `ConnectedAccount` delete mandates code adjustments; new JWT rotation cron safeguards token integrity.

Summary

AI summary

Fixed front layout crash, encrypted ConnectedAccount parameters, unified permissions, added server JWT rotation cron, improved website navigation, updated deps including security bump.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Bump @xmldom/xmldom to 0.8.13 (security fix). Bump @xmldom/xmldom to 0.8.13 (security fix). Source: llm_adapter@2026-05-25 Confidence: high	—
Breaking	High	Encrypt `ConnectedAccount` connectionParameters field. Encrypt `ConnectedAccount` connectionParameters field. Source: llm_adapter@2026-05-25 Confidence: high	—
Breaking	High	Unify connected account permissions. Unify connected account permissions. Source: llm_adapter@2026-05-25 Confidence: high	—
Feature	Medium	Add idempotent CLI command to rotate ENCRYPTION_KEY across enc:v2 rows. Add idempotent CLI command to rotate ENCRYPTION_KEY across enc:v2 rows. Source: llm_adapter@2026-05-25 Confidence: high	—
Feature	Medium	Add Enterprise cron that rotates the current JWT signing key. Add Enterprise cron that rotates the current JWT signing key. Source: llm_adapter@2026-05-25 Confidence: high	—
Performance	Medium	Stop bundling twenty‑ui React CJS runtime code. Stop bundling twenty‑ui React CJS runtime code. Source: llm_adapter@2026-05-25 Confidence: high	—
Deprecation	Medium	Deprecate and backfill delete `ConnectedAccount` standard object. Deprecate and backfill delete `ConnectedAccount` standard object. Source: llm_adapter@2026-05-25 Confidence: high	—
Bugfix
Bugfix	Medium	Fix QueryRunnerAlreadyReleasedError in sign‑in‑up service. Fix QueryRunnerAlreadyReleasedError in sign‑in‑up service. Source: llm_adapter@2026-05-25 Confidence: high	—
Bugfix	Medium	Fix BUILDER_INTERNAL_SERVER_ERROR message. Fix BUILDER_INTERNAL_SERVER_ERROR message. Source: llm_adapter@2026-05-25 Confidence: high	—
Bugfix	Medium	Fix front layout crash from useTargetRecord. Fix front layout crash from useTargetRecord. Source: llm_adapter@2026-05-25 Confidence: high	—

Full changelog

What's Changed

fix(front): prevent standalone page layout crash from useTargetRecord by @charlesBochet in https://github.com/twentyhq/twenty/pull/20698
i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20694
chore: bump version to 2.7.0 by @twenty-pr[bot] in https://github.com/twentyhq/twenty/pull/20693
docs(self-host): document ENCRYPTION_KEY, FALLBACK_ENCRYPTION_KEY and key rotation procedures by @charlesBochet in https://github.com/twentyhq/twenty/pull/20611
i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20702
i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20705
Stop bundling twenty-ui react cjs runtime code by @martmull in https://github.com/twentyhq/twenty/pull/20703
fix(filters): make filter dispatcher own relation-target resolution by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20670
Fix(twenty-front): BlockNote slash command shows empty state when no match by @git-init-priyanshu in https://github.com/twentyhq/twenty/pull/20689
i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20710
[Website] Change product hero to reveal tabs on scroll. by @mabdullahabaid in https://github.com/twentyhq/twenty/pull/20707
i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20712
messaging minor perf improvement by @neo773 in https://github.com/twentyhq/twenty/pull/20687
feat(server): Enterprise cron that rotates the current JWT signing key by @charlesBochet in https://github.com/twentyhq/twenty/pull/20612
refactor(server): drop logo select workaround in flat-application cache by @charlesBochet in https://github.com/twentyhq/twenty/pull/20708
Fix BUILDER_INTERNAL_SERVER_ERROR message by @ijreilly in https://github.com/twentyhq/twenty/pull/20720
[Website] Hide Product and Articles from navigation and remove language switcher. by @mabdullahabaid in https://github.com/twentyhq/twenty/pull/20718
i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20722
fix(server): backport relationTargetFieldMetadataId column-add to 2.4 and 2.5 fast instance by @charlesBochet in https://github.com/twentyhq/twenty/pull/20721
fix(twenty-front): prevent connected account row overflow on long status label by @neo773 in https://github.com/twentyhq/twenty/pull/20713
[CONNECTED_ACCOUNT_BREAKING_CHANGE] Encrypt ConnectedAccount connectionParameters by @prastoin in https://github.com/twentyhq/twenty/pull/20673
i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20723
i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20725
i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20724
Create twenty app improvements by @martmull in https://github.com/twentyhq/twenty/pull/20688
fix(ai) - add ai model preferences fallback by @etiennejouan in https://github.com/twentyhq/twenty/pull/20704
use declared outputSchema for logic-function steps by @abdulrahmancodes in https://github.com/twentyhq/twenty/pull/20679
fix(server): sync command menu item availability expressions on existing workspaces by @ehconitin in https://github.com/twentyhq/twenty/pull/20719
chore(server): remove unused CommandLogger from command module by @Rpaudel379 in https://github.com/twentyhq/twenty/pull/20638
Add @WasRemovedInUpgrade decorator by @Weiko in https://github.com/twentyhq/twenty/pull/20729
i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20736
Twenty fireflies integration by @abdulrahmancodes in https://github.com/twentyhq/twenty/pull/20618
Fix QueryRunnerAlreadyReleasedError in sign-in-up service by @Weiko in https://github.com/twentyhq/twenty/pull/20734
refactor(filters): pass fieldMetadataItems array to dispatcher by @charlesBochet in https://github.com/twentyhq/twenty/pull/20737
feat(website-new): add Cloudflare Workers deployment via OpenNext by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20741
chore(website): rename twenty-website-new → twenty-website by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20745
feat(website): migrate dev hostname website-new.twenty-main.com → website.twenty-main.com by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20747
Update default widget gridPosition by @martmull in https://github.com/twentyhq/twenty/pull/20740
fix: render PAGE_LAYOUT nav items with standard icon tile and compute… by @martmull in https://github.com/twentyhq/twenty/pull/20743
chore: sync AI model catalog from models.dev by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20751
chore(server): drop leftover favorite and favoriteFolder workspace objects by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20744
fix(create-twenty-app): preserve .yarnrc.yml in template by @sonarly[bot] in https://github.com/twentyhq/twenty/pull/20623
Unify oAuth success and failure screen with autorize page by @martmull in https://github.com/twentyhq/twenty/pull/20746
feat(website): mirror prod hostname pattern on dev (apex + www) by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20753
Update create twenty app scaffolded front component by @martmull in https://github.com/twentyhq/twenty/pull/20733
fix(ai-chat) - fixes on cost display by @etiennejouan in https://github.com/twentyhq/twenty/pull/20750
docs(sdk): document DatabaseEventPayload and simplify its type by @ehconitin in https://github.com/twentyhq/twenty/pull/20754
Slack workflow connector by @abdulrahmancodes in https://github.com/twentyhq/twenty/pull/20427
feat(website): enable OpenNext skew protection + tune CF cache by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20760
i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20764
fix(workflow): restore initial input fields on code step creation by @thomtrp in https://github.com/twentyhq/twenty/pull/20756
[CONNECTED_ACCOUNT_BREAKING_CHANGE] Unify connected account permissions by @prastoin in https://github.com/twentyhq/twenty/pull/20732
Increase size of tarball upload by @martmull in https://github.com/twentyhq/twenty/pull/20767
fix(ci): repair preview-environment dispatch (use PAT, not GITHUB_TOKEN) by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20773
feat(website): per-PR preview deploys via Worker versions by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20762
fix(server): map PermissionsException to proper HTTP status on REST API by @Weiko in https://github.com/twentyhq/twenty/pull/20739
Update twenty sdk commands by @martmull in https://github.com/twentyhq/twenty/pull/20735
fix(ai-chat)-preference models import by @etiennejouan in https://github.com/twentyhq/twenty/pull/20776
fix(messaging): preserve all gmail to/cc/bcc recipients as participants by @neo773 in https://github.com/twentyhq/twenty/pull/20491
i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20778
feat(server): idempotent CLI to rotate ENCRYPTION_KEY across enc:v2 rows by @charlesBochet in https://github.com/twentyhq/twenty/pull/20613
Ci server custom jest reporter by @prastoin in https://github.com/twentyhq/twenty/pull/20765
fix(auth): clarify error when joining a non-active workspace by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20769
i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20782
chore(deps): bump @recallai/desktop-sdk from 2.0.8 to 2.0.15 by @dependabot[bot] in https://github.com/twentyhq/twenty/pull/20785
chore(deps): bump @azure/msal-node from 3.8.4 to 3.8.10 by @dependabot[bot] in https://github.com/twentyhq/twenty/pull/20787
chore(deps): bump linkify-react from 4.3.2 to 4.3.3 by @dependabot[bot] in https://github.com/twentyhq/twenty/pull/20789
chore(deps): bump tinyglobby from 0.2.15 to 0.2.16 by @dependabot[bot] in https://github.com/twentyhq/twenty/pull/20788
chore: sync AI model catalog from models.dev by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20791
fix(front): focus new Field widget and open side panel on add by @Weiko in https://github.com/twentyhq/twenty/pull/20777
Application file storage service by @prastoin in https://github.com/twentyhq/twenty/pull/20793
i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20796
Fix must wait 3 days to create app in twenty-apps by @martmull in https://github.com/twentyhq/twenty/pull/20794
Set website default port to 3002 by @Bonapara in https://github.com/twentyhq/twenty/pull/20795
fix(email): resolve reply account from thread channel by @Vinzz2303 in https://github.com/twentyhq/twenty/pull/20755
chore(deps): bump @xmldom/xmldom to 0.8.13 (security) by @charlesBochet in https://github.com/twentyhq/twenty/pull/20798
Navigate to installed page after app install by @martmull in https://github.com/twentyhq/twenty/pull/20797
i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20801
Deprecate and backfill delete ConnectedAccount twenty standard object by @prastoin in https://github.com/twentyhq/twenty/pull/20752
i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20802
i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20804
Drop legacy rolePermissionFlag.flag column + fallback logic by @Weiko in https://github.com/twentyhq/twenty/pull/20730
fix(docker): pin patched curl/nghttp2/postgresql18-client apk versions by @charlesBochet in https://github.com/twentyhq/twenty/pull/20805
Upload application file resolver exception management and integration coverage by @prastoin in https://github.com/twentyhq/twenty/pull/20803

New Contributors

@Vinzz2303 made their first contribution in https://github.com/twentyhq/twenty/pull/20755

Full Changelog: https://github.com/twentyhq/twenty/compare/v2.6.0...v2.7.0

Breaking Changes

[CONNECTED_ACCOUNT_BREAKING_CHANGE] Encrypt `ConnectedAccount` `connectionParameters`
[CONNECTED_ACCOUNT_BREAKING_CHANGE] Unify connected account permissions

Security Fixes

dep: @xmldom/xmldom bumped to 0.8.13 (security)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track twenty

Get notified when new releases ship.

About twenty

Building a modern alternative to Salesforce, powered by the community.

All releases →

Related context

Related tools

Earlier breaking changes

v2.8.0 Introduces a new permission flags system defined by apps
v2.8.0 Permission flags system replaces previous permission model
v2.6.0 Rename permissionFlag to rolePermissionFlag and add catalog/backfill
v2.6.0 Drop APP_SECRET from approved-access-domain validation and session cookies
v2.5.0 [breaking: deploy server before front] feat(view-sort): pick sort sub-field inline on the chip