v7.27.2
·
364 commits
to main
since this release
Release Notes
This update provides important bug fixes and improvements.
Security
Resolved Issues
- Fixed: An authenticated user may be able to retrieve or delete files outside the intended authorization scope. An authorization issue was addressed with improved checks. CVE-2026-32097
Files
Updates & Improvements
- The thread file retrieval endpoint has been updated to
GET /class/{class_id}/thread/{thread_id}/message/{message_id}/file/{file_id}. - The thread file deletion endpoint has been updated to
DELETE /class/{class_id}/thread/{thread_id}/message/{message_id}/file/{file_id}. - The thread image retrieval endpoint for Classic Assistants has been split into two endpoints:
GET /class/{class_id}/thread/{thread_id}/ci_call/{ci_call_id}/image/{file_id}for Code Interpreter outputs.GET /class/{class_id}/thread/{thread_id}/message/{message_id}/image/{file_id}for user uploaded images.
GET /class/{class_id}/thread/{thread_id}/image/{file_id}remains the thread image retrieval endpoint for Next-Gen Assistants.
Deprecations
- The thread-scoped file retrieval endpoint (
GET /class/{class_id}/thread/{thread_id}/file/{file_id}) is no longer supported. - The thread-scoped file deletion endpoint (
DELETE /class/{class_id}/thread/{thread_id}/file/{file_id}) is no longer supported. - The thread-scoped image retrieval endpoint (
GET /class/{class_id}/thread/{thread_id}/image/{file_id}) is no longer supported for Classic Assistants.
Deployment Information
| Schema Upgrade | Migration Script | Permissions Update | Task Definition Update | Configuration Update |
|---|---|---|---|---|
| No | No | No | No | No |
Deployment Details
- N/A
Related PRs
Full Changelog: v1144+srv577.web407...v1146+srv578.web408