Skip to content

v0.7.1 — security fix (CVE-2026-49994)

Latest
Latest

Choose a tag to compare

View all tags
@dannymcc dannymcc released this 10 Jun 18:39
v0.7.1
This tag was signed with the committer’s verified signature.
dannymcc Danny McClelland
SSH Key Fingerprint: fzKU0RpfRLHscyKObwPsdQULcdKl+dEHSQFdVohryVI
Verified
Learn about vigilant mode.
4014799
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security

This release fixes CVE-2026-49994 (GHSA-qj2j-wcg3-74jw) — a critical missing-authentication issue where the /api/* routes were reachable without a valid session even when web authentication was enabled, exposing device data and allowing settings/group mutations.

The web server now applies a default-deny authentication middleware: every route requires a valid session except the endpoints needed to log in. All users running with web auth enabled should upgrade.

Affected: all releases through v0.7.0. Fixed: v0.7.1.

Reported by Qihang via coordinated disclosure — thank you.

Assets 2
Loading