By ByteBot
The Software Freedom Conservancy confirmed this week that Bambu Lab has been violating the AGPLv3 open-source license since it first forked PrusaSlicer to build BambuStudio. Two violations are now confirmed: distributing a closed-source networking library bundled with AGPL-derived software, and issuing an illegal cease-and-desist against a developer whose own AGPL-compliant fork Bambu wanted silenced. Bradley Kühn, who co-drafted AGPLv3, called it plainly: “Bambu is currently engaged in the most egregious AGPLv3 violation that I have ever seen.”
What Bambu Lab’s AGPL Violation Actually Looks Like
BambuStudio is a fork of PrusaSlicer, which is licensed under AGPLv3. The fork itself is legal. However, Bambu bundles its slicer with a set of proprietary networking libraries — libbambu_networking.so on Linux, bambu_networking.dll on Windows, libbambu_networking.dylib on macOS — that handle all cloud communication between the slicer and Bambu’s servers. These libraries are closed-source, distributed without corresponding source code, and have been this way for four years. The Software Freedom Conservancy’s investigation confirmed this in its May 18 report.
Bambu’s defense is that the networking plugin is a “separate work” and therefore exempt from AGPL requirements. Josef Prusa dismantled this in one sentence: “BambuStudio cannot do its primary job without the plugin. The plugin cannot do anything without BambuStudio. It is one product split across two files for PR license-laundering convenience.” The SFC’s formal investigation confirmed what open-source advocates had been arguing for years — and what Bambu had publicly acknowledged for four while doing nothing to fix.
Related: Socket Raises $60M as AI Code Creates Supply Chain Crisis
How Bambu Lab’s Lockdown Led to the Cease-and-Desist
This dispute did not start with lawyers. In January 2025, Bambu deployed a firmware update called the Authorization Control System (ACS), which locked print initiation, temperature control, AMS configuration, remote video, and firmware upgrades behind Bambu Connect — a closed-source middleware requiring cloud authentication. Third-party slicers like OrcaSlicer could no longer communicate directly with printers over local networks. Hardware owners had bought these machines assuming open-source slicer compatibility. ACS ended that. According to Tom’s Hardware coverage of the SFC intervention, the company also restricted local network access that printers had supported since launch.
Developer Paweł Jarczak built an OrcaSlicer fork that bypassed Bambu Connect and restored local control. In April 2026, Bambu issued a cease-and-desist. The allegations included impersonation of Bambu Studio, ToS violations, and reverse engineering. Jarczak asked for specifics — which files, which commits — and received none. The project was shuttered. That legal threat was itself an AGPL violation: AGPLv3§10¶3 explicitly states you cannot impose further restrictions on rights the license grants. By targeting Jarczak’s AGPL-licensed fork, Bambu violated the license a second time.
The Security Problem Nobody Can Audit
Here is the detail that makes this more than a licensing dispute. The networking library downloads itself at runtime. You can review the entirety of BambuStudio’s published source code and never see the component that actually communicates with Bambu’s servers — because it arrives separately during execution. Josef Prusa described the networking binary as “a massive security risk.” He is right.
For any Bambu printer owner, every print job routes through a cloud layer nobody can inspect. The data transmitted, how it is processed, and where it is stored are unverifiable. This is not a theoretical concern — it is an unauditable binary executing on your machine and contacting external infrastructure on every print. The ACS update made this routing mandatory, not optional. As the broader open-source implications analysis shows, the outcome here will shape whether hardware companies across IoT and embedded systems can get away with this pattern.
The Community Is Building Back
The Software Freedom Conservancy responded with the baltobu project — three repositories aimed at reversing Bambu’s enclosure of open-source tooling. The reverse-networking repository is rebuilding the proprietary library as open-source. The orca-slicer-for-bambu repository maintains Jarczak’s suppressed fork. The viscose repository is working toward a complete BambuStudio replacement. A fundraiser targeting $250,007 for dedicated staff had exceeded $60,000 at time of publication. Paweł Jarczak — the developer Bambu tried to silence — has joined SFC’s baltobu project as a collaborator.
SFC is also launching a monthly standing committee in June 2026 to bring together manufacturers, users, and activists around 3D printer software freedom. If baltobu succeeds in reverse-engineering the networking layer, Bambu printer owners could regain full local control without routing through Bambu’s servers. If SFC escalates legally, AGPL enforcement can result in injunctions blocking distribution of BambuStudio entirely. Either outcome changes the calculus for every hardware company running AGPL derivatives with closed networking components.
Key Takeaways
- Bambu Lab has been confirmed violating AGPLv3 for four years by bundling closed-source networking libraries with AGPL-derived BambuStudio — its “separate works” defense fails because neither component functions without the other
- The January 2025 Authorization Control System deliberately locked third-party slicer access to Bambu hardware, then Bambu used legal threats to suppress the developer who fixed it — and that cease-and-desist itself violated AGPL
- The networking library downloads at runtime, making it unauditable — users cannot verify what data Bambu’s infrastructure receives or processes on every print job
- The Software Freedom Conservancy’s baltobu project is actively reverse-engineering the proprietary networking layer; if successful, Bambu printer owners could regain full local control without routing through Bambu’s servers
