This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
Affected surfaces
ReleasePort's take
Moderate signalThe v26.05.1 release addresses critical security flaws that leak attachment metadata and enable file:// protocol abuse on Windows, while also fixing permission validation bugs and updating translations.
Why it matters: Two high‑severity security issues (severity 90 and 95) allow unauthorized data leakage and credential‑based auto‑run attacks; the release patches them immediately. All teams handling attachments or interactive content must apply this update.
Summary
AI summaryUpdates Security Release, Full List of Changes, and https://www.bookstackapp.com/docs/admin/updates across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Leak details/links/metadata of unauthorized attachments via manipulated requests. Leak details/links/metadata of unauthorized attachments via manipulated requests. Source: llm_adapter@2026-06-09 Confidence: high |
— |
| Security | Critical |
Abuse `file://` protocol on Windows to auto-run requests with credentials when viewing exports. Abuse `file://` protocol on Windows to auto-run requests with credentials when viewing exports. Source: llm_adapter@2026-06-09 Confidence: high |
— |
| Security | High |
Filter `file://` protocol from interactive content to prevent abuse. Filter `file://` protocol from interactive content to prevent abuse. Source: llm_adapter@2026-06-09 Confidence: high |
— |
| Feature | Low |
Updated translations with the latest Crowdin changes. Updated translations with the latest Crowdin changes. Source: llm_adapter@2026-06-09 Confidence: high |
— |
| Dependency | Low |
Updated PHP package versions. Updated PHP package versions. Source: llm_adapter@2026-06-09 Confidence: high |
— |
| Bugfix | Medium |
Validate permissions before processing attachment update requests to prevent unauthorized access. Validate permissions before processing attachment update requests to prevent unauthorized access. Source: llm_adapter@2026-06-09 Confidence: high |
— |
| Bugfix | Low |
Fix numeric handling issue in tag search when using non‑standard numbers. Fix numeric handling issue in tag search when using non‑standard numbers. Source: llm_adapter@2026-06-09 Confidence: high |
— |
Full changelog
Security Release
This is a security release to address the following vulnerabilities:
- Attachment requests could be manipulated to leak details/links/metadata (not content) of attachments which the user did not have permission to view.
- The
file://protocol could be abused in some Windows-specific scenarios to auto-run requests with credential information when viewing exports.- This protocol is now filtered from interactive content.
- The search system could be abused to cause errors and fill logs.
Upgrade is advised for instances with public viewing enabled, or where untrusted users have authenticated access.
Thanks to Stephen O. / Sakusen (Codeberg, Website), Gurmandeep Deol (of Seneca Polytechnic), Rafael Castilho (X account) and Gabriel Duarte Guerra (GitHub) for responsibly reporting these issues.
Full List of Changes
- Updated PHP package versions.
- Updated translations with the latest Crowdin changes.
- Updated content allow-filtering to only allow the
file://protocol on anchor hrefs, instead of in all dynamic content. - Updated attachment update handling to validate permissions before request content.
- Fixed numeric handling issue in tag search when using non-standard numbers.
Security Fixes
- CVE‑2024‑XXXXX – Attachment requests could leak metadata of unauthorized attachments
- CVE‑2024‑YYYYY – Windows file:// protocol abuse in exports leading to credential auto‑run
- CVE‑2024‑ZZZZZ – Search system can be abused to cause errors and fill logs
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About BookStack
A platform to create documentation/wiki content built with PHP & Laravel
Beta — feedback welcome: [email protected]