github appsmithorg/appsmith v2.0
Release v2.0 ๐ŸŒˆ
on GitHub

3 hours ago
โš ๏ธ

Important / Critical - DO NOT UPGRADE WITHOUT READING

If you are upgrading from a version earlier than v1.96, you must first upgrade to version v1.99 before upgrading to 2.0+.

This requirement is especially important for instances using the built-in MongoDB. Appsmith 2.0 bundles MongoDB 7, and versions v1.96 through v1.99 include the required migration changes needed to support this upgrade path.

Skipping this intermediate upgrade will cause the upgrade to 2.0+ to fail, including installations using an external MongoDB instance. Completing this step is required for all deployments.

If you already attempted the upgrade and encountered a failure, no data loss or destructive changes will occur. Simply upgrade to version v1.99 first. Once the instance is successfully running on v1.99, you can proceed with upgrading to 2.0+.

For detailed upgrade instructions, see:

https://docs.appsmith.com/getting-started/setup/instance-management/update-appsmith

Features

  • Added a documentation link tooltip for the Appsmith Base URL setting and implemented trailing-slash normalization. (#41782)
  • Added support for the MongoDB Operator in Helm deployments. (#41733)
  • Added Ask AI CE stubs and shared file wiring support. (#41692)

Fixes

  • Validated request origins before persisting invited users. [APP-15239] (#41826)
  • Preserved Redis credentials during appsmithctl restore. (#41827)
  • Upgraded postgresql-jdbc to 42.7.11 to remediate CVE-2026-42198. (#41812)
  • Added validation for Git repository URLs. (#41819)
  • Prevented unauthenticated access to full OpenAPI documentation. (GHSA-v6jh-fx3m-7xhw) (#41803)
  • Fixed a path traversal vulnerability. (GHSA-m4hv-9p7g-56vm) (#41790)
  • Upgraded arangodb-java-driver to 7.25.0 to remediate CVE-2025-52999. (#41789)
  • Replaced generic โ€œResponse not validโ€ messages with more actionable error messages for improved observability. (#41769)
  • Failed closed for token-bearing emails when APPSMITH_BASE_URL is unset. (GHSA-j9gf-vw2f-9hrw) (#41767)
  • Updated Helm charts to use documented image values instead of the undocumented _image key. (#41765)
  • Fixed a datasource configuration leak in Appsmith App Viewer imports. (GHSA-93mf-9h52-gfxp) (#41764)
  • Prevented stored XSS via SQL autocomplete. (GHSA-vjfq-fvfc-3vjw) (#41760)
  • Stripped identity fields from imported JSON before persistence. (#41761)
  • Prevented HTML entity decoding from corrupting binary file uploads in multipart form data. (#41742)
  • Pinned protobufjs to ^7.5.5 to address GHSA-xq3m-2v4x-88gg. (#41745)
  • Upgraded axios to 1.15.0 to address GHSA-3p68-rc4w-qgx5. (#41739)
  • Upgraded bundled Mongo to 7.x
  • Upgraded backend JAVA to 25.x
  • Upgraded backed Node to 24.x
  • Upgraded bundled MongoDB to 7.x
Check out latest releases or
releases around appsmithorg/appsmith v2.0

Don't miss a new appsmith release

NewReleases is sending notifications on new releases.

Get notifications