BetterDesk 3.2.0

BetterDesk 3.2.0 — stable release

Production release 3.2.0 (stable main). Ships via Settings → Updates on the Stable channel, or betterdesk.sh / betterdesk.ps1 option 2. Panel update creates a pre-update backup by default. No database migration or manual SQL step is required.

Security

• CVE-2026-50575 / GHSA-3v82-3gf8-fxx8 (device replay after delete) — WebSocket signal registration now rejects soft-deleted peer IDs (new registration and heartbeat), matching UDP/TCP. UpdatePeerStatus no longer marks soft-deleted rows ONLINE. Restoration is explicit only via POST /api/peers/{id}/restore or the Devices UI. Requires betterdesk-server update (panel rebuild/redeploy when Go sources change).
• Dependency updates — go-ntlmssp 0.1.1 (CVE-2026-32952), golang.org/x/image 0.38.0 (CVE-2026-33809), pgx/v5 5.9.2 in Go modules; openssl 0.10.80 and tauri 2.11.2 in Tauri Cargo.lock (desktop client rebuild required for Rust-side fixes; server/console panel update alone is not enough for desktop).
• Go API proxy hardening — shared goApiProxy.js validates path segments on fleet, commercialization, and cross-platform routes; ID guards on all proxy routes; blocks path-smuggling while accepting RustDesk peer IDs (a-zA-Z0-9_-).
• Go API SSRF guard — goApiPath validates relative paths on the betterdeskApi client; policy routes validate org/device IDs; help-request IDs validated before proxying to Go.
• XSS — cross-platform.js, users.js, dataguard.js, cdap-studio.js escape/sanitize dynamic HTML and CSS class names.
• Path confinement — shared safePath for backup deletion, i18n language files, server file browser, fontService, and fileTransferService (symlink-aware root checks). File browser respects BETTERDESK_FILE_ALLOWED_ROOTS.
• SSRF / shell hardening — OIDC discovery URLs validated before fetch; network monitor HTTP/TCP checks use validated hostname/port/path; terminal proxy restricted to known system shell paths; updateService and deploy helpers use execFileSync argv arrays; linux-ensure-console-user.js uses execFileSync.
• Clear-text logging — admin password no longer logged on first install; API login logs redact usernames (logRedact.js); admin self-test password cleared after use in authService.
• Audit log — Recent / RecentByAction clamp n to 500 to limit allocation.
• CI — build.yml default permissions: contents: read; write only on release/binary-update jobs.

Fixed

• RBAC — deleting the last super_admin / legacy admin is blocked (HTTP 409), aligned with update/demotion guards; org owner label shown as Org Admin in all 26 locales.
• Panel update (dev channel) — repair step no longer re-downloads removed web-nodejs/scripts/* paths (404 false failures after dev-only i18n toolkit move).
• Console update channel UX — Modal.confirm for channel switch dialog; clearer Stable / Development labels and Docker update UI strings in all locales.
• Go server deploy (Linux panel) — privileged Go server binary deploy from the Linux panel (hotfix already on main).

Added

• One-line Linux installer (install.sh) — curl -fsSL …/install.sh | sudo bash for automated Docker quick-start (engine install when missing, compose download with validation, relay IP detection, firewall rules, health wait, credential summary). Use --native for git clone + betterdesk.sh --auto, or --uninstall / --purge to tear down the Docker stack.

Changed

• i18n dev toolkit moved to web-nodejs/scripts/dev-i18n/ — not deployed to production consoles; one-shot patch-* scripts removed (recoverable from git history).
• Update channel switcher — stable vs development channel selection in Settings → Updates (production servers should stay on Stable).

Upgrade notes (operators)

Topic	Action
Native / panel update	Settings → Updates → Stable → Check for updates → Install. Allow Go server rebuild/restart when prompted.
Docker	Pull new GHCR tags after release (docker compose pull && docker compose up -d); in-app GitHub install is disabled in container mode.
Soft-deleted devices	Do not expect deleted peers to self re-register over WebSocket; use Restore in Devices if intentional.
Custom file paths	If file browser or font upload breaks, review BETTERDESK_FILE_ALLOWED_ROOTS in console .env.
Desktop client (Tauri)	Rebuild/reinstall desktop agent after this release to pick up openssl / tauri lockfile fixes.
Rollback	Use the automatic pre-update backup from Settings → Updates, or restore from your own snapshot.

Verify after update

1. Panel login and dashboard load.
2. Settings → Updates shows current version; no repair 404 errors.
3. Devices list and one test remote session.
4. Optional: delete-user guard — last admin cannot be removed (409).
5. Docker operators: confirm new image tag on GHCR matches v3.2.0.

What's Changed

• chore: bump version to 3.0.2 by @UNITRONIX in #178
• fix(console): update channel switcher on main by @UNITRONIX in #180
• Release 3.2.0 — security hardening, RBAC, panel update fixes by @UNITRONIX in #185
• chore: release version 3.2.0 by @UNITRONIX in #189

Full Changelog: v3.1.0...v3.2.0