-
v26.03.29.1 Stable
released this
2026-03-29 15:40:45 -04:00 | 654 commits to main since this releaseWhat's new
Security fixes
- SSRF: block private/internal URLs in image cache fetch, RSS feed add, and CalDAV URL setting
- Auth:
GET /api/images/<id>now requires authentication (was unauthenticated) - Auth: Ollama model pull and delete restricted to admin users only
- Info disclosure: email addresses removed from
/api/users/searchresponse - OAuth: account auto-linking skipped when provider does not set
email_verified: true - Config: startup fails with a clear error when
SECRET_KEYis default andSECURE_COOKIES=true - Rate limiting: startup warning added when
TRUST_PROXY_HEADERSis not set behind a proxy - XSS: tightened DOMPurify config —
src/altremoved from global attribute allowlist
MCP bug fixes
fable_add_task_log: was posting{"body": ...}— API expects{"content": ...}; all log entries now save correctlyfable_create_project:statusparameter was silently discarded; projects can now be created withstatus="archived"fable_create_milestone:statusparameter was silently discarded; milestones can now be created withstatus="done"
Downloads