‼️🛡️ This release includes a security patch
- Patched versions: >= 0.35.3. Please update to this version as soon as possible.
- Further recommendation:
- Check all active sessions in the organizations page. Delete any unauthorized sessions and users.
- Set-up SAML SSO / OAuth as the only methods for authentication
- Affected versions: < 0.35.2
- CVE: CWE-269, CWE-284
- Impact:
- [1]: (Critical) Unauthorized access: unauthenticated users are able to sign-up via basic auth as admin users.
- [2]: (High) Privesc: PATCH endpoint can lead to basic org member self promoting themselves to admin
- Affected users:
- For [1]: Docker compose with basic authentication enabled (not recommended in prod).
- For [2]: Docker compose and Cloud
- Exploitability (High): If basic auth is enabled and publicly exposed to the internet.
- Not affected (for [1] only): For unauthorized access, Cloud users and on-prem AWS Fargate deployments not affected if defaults WAF + OAuth / SSO are enabled
- First disclosed: May 22nd 2025 (9am Pacific Time).
✨ Enhancements
- Limit what actions can use interactions + add validation (#1143)
- Add secret expression validation (#1142)
- Implement events toolbar (#1141)
- Move interaction state out of workflow (#1133)
🐞 Bug fixes
- CSV importer dialog width overflow (#1135)
- Drop role in UserCreate + simplify conftest (#1147)
- Prevent role change (#1145)
- Add secret expression validation (#1142)
- Fix other validation error type handling + update openapi (#1140)
Thank you to all our contributors for making this release possible!
@Jarro01X, @daryllimyt and @topher-lo
Thank you to @s-anvar for reporting this vulnerability.