v3.9.4

LTSRecommended

Released May 21, 2026·Supported until Dec 31, 2026·Community 1.13.3·Community commit c5d8c00·Enterprise 0.16.x·Helm chart·Docker Compose

Breaking

1 to verify

Security

Issues

Changes

0F · 3B

Downtime

Zero

Upgrade Impact

0 features · 3 fixes

Breaking:The default Enterprise API image no longer ships Weights & Biases tracing or ClickZetta vector DB; use the `-insecure` API image if you still need them.

API image: W&B tracing and ClickZetta vector DB removed from default buildFor a smaller attack surface, Weights & Biases (`wandb`) tracing and the ClickZetta vector database integration are no longer included in the default API image. If you still need those integrations, use the docker.io/langgenius/dify-ee-api-insecure:3.9.4 API image tag, which retains the previous behavior at the cost of additional known vulnerabilities.

What Changed

Security

Security: Vulnerability FixesFixed several vulnerabilities in previous version. Please see full CVE report for details.

Performance

Performance: TTFE OptimizationImproved Time To First Event (TTFE) latency through cache optimizations and reduced database roundtrips, delivering faster response times across LTS 3.9.x deployments.

Performance: Post-Run Delay OptimizationProvided a configurable EVENT_BUS_LISTENER_JOIN_TIMEOUT_MS to allow reducing idle delay after chatflow run completion, trading graceful stream disconnect for lower post-run latency in multi-turn conversations. 100 is a reasonable value.