Changelog

Retool recently made changes that make it easier to review changes in source control. Retool now separates system-generated updates related to version upgrades into their own migration commit, so your pull requests are cleaner and easier to understand.

This feature is generally available on Retool Cloud. It is available in private beta to Self-hosted Retool organizations on edge version 3.203.0-edge or later, and will be generally available in an upcoming stable release. Self-hosted Retool organizations can reach out to support to enable this feature.

What's new​

Instead of bundling migration changes with user changes, they now appear in a dedicated commit.

No setup needed—this happens automatically when you make commits.

Retool now supports an integration to the Tavily Search API. Use this integration to perform either general or news-specific web searches. You can choose to provide your own Tavily API key if you do not want to be subject to Retool's rate limits (100 calls per 24 hours) on Tavily.

A vulnerability in an open-source library, samlify, which Retool uses for SAML login implementation, allowed for account takeovers through forged SAML identity provider (IdP) assertions. In the worst case, an external threat actor could forge arbitrary assertions for a SAML IdP, potentially leading to full account takeovers within an organization. An attacker would need a signed XML document by the identity provider. Version 2.10.0 fixes the issue. This exploit requires no user interaction and an attacker could gain unauthorized access to an organization with escalated privileges.

Fixed release versions​

Affected release versions​

An improved version of the File Input component for Mobile is currently available on Retool Cloud and on Self-hosted Retool 3.168.0 or later.

This includes:

• Multi-file support – Users can now upload multiple files at once instead of being limited to a single file.
• Blob URL exposure – The component now exposes blob URLs to the value property in the component state.

Retool renamed the Chat component to LLM Chat to provide more clarity on the purpose of the component. No user action is required.

Self-hosted deployments of Retool missing the BASE_DOMAIN environment variable may in some cases be vulnerable to host header injections. All vulnerable versions can be remediated immediately by properly setting the BASE_DOMAIN environment variable to the full URL of the deployment, such as https://retool.example.com. Beginning with 3.196.0, this environment variable will be required for an instance on boot.

Is my version of Retool affected?​

All current Retool on-prem instances that have not yet disabled password based authentication may be vulnerable (this is easily checked by verifying that there is no form to login with a password when opening up Retool.) If password auth has not been disabled, your Retool instance is potentially vulnerable if all of the following apply to you:

• You do not have the BASE_DOMAIN environment variable set.
• Your Retool instance is reachable without any request filtering based on the Host header. This is likely the case if you’re not using a reverse proxy or that reverse proxy forwards requests for all domains.
• A user in your instance solely relies on password based authentication. This is the case when all of the following apply
  • You have the Disable Login with Email and Password setting disabled
  • You have not enforced Two Factor Authentication
  • A user in your instance does not have a second factor authentication configured.

Affected release versions​

Notification Update: 2025-05-09​

An email to customers sent on 2025-05-09 incorrectly described which Retool instances are affected. The section on affected versions should instead be Is my version of Retool affected?.

Improvements to source control on Workflows are now generally available on Self-hosted Retool 3.200.0-edge and in the upcoming stable release. The following features are now supported for all users on Enterprise plans:

Retool made several improvements to the usage of Source Control with Retool Workflows. The following features are now supported on Enterprise plans:

• Branched changes. You can now make changes to workflows using branches. Previously, all Source Control changes on workflows were branchless.
• Multi-element branching. You can make edits to workflows on the same branch as edits to apps, modules, and Query Library queries.
• Collaborative branches. Multiple users can commit changes and merge pull requests on collaborative branches.

Retool now supports an integration to the Google Calendar API. Use this integration in combination with the Calendar or Timeline components to interact with calendars and events.

Refer to the Calendar guide for information on how to use this resource with the Calendar component.

Retool now supports an integration to Google Docs, which utilizes the Google Docs API and the Google Drive API. Use this integration to retrieve, create, and update documents.