• v26.03.29.1 Stable

    bvandeusen released this 2026-03-29 15:40:45 -04:00 | 654 commits to main since this release

    What's new

    Security fixes

    • SSRF: block private/internal URLs in image cache fetch, RSS feed add, and CalDAV URL setting
    • Auth: GET /api/images/<id> now requires authentication (was unauthenticated)
    • Auth: Ollama model pull and delete restricted to admin users only
    • Info disclosure: email addresses removed from /api/users/search response
    • OAuth: account auto-linking skipped when provider does not set email_verified: true
    • Config: startup fails with a clear error when SECRET_KEY is default and SECURE_COOKIES=true
    • Rate limiting: startup warning added when TRUST_PROXY_HEADERS is not set behind a proxy
    • XSS: tightened DOMPurify config — src/alt removed from global attribute allowlist

    MCP bug fixes

    • fable_add_task_log: was posting {"body": ...} — API expects {"content": ...}; all log entries now save correctly
    • fable_create_project: status parameter was silently discarded; projects can now be created with status="archived"
    • fable_create_milestone: status parameter was silently discarded; milestones can now be created with status="done"
    Downloads