BookStack

v26.03.5 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 13d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

bookstack documentation laravel php self-hosted wiki

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 13d

BookStack v26.03.5 adds rate limiting to MFA verification routes and updates PHP packages. Rate limiting provides defense against repeated verification attempts.

Why it matters: This release hardens MFA verification routes with rate limiting. Apply v26.03.5 if you operate BookStack with MFA enabled.

Summary

AI summary

Updates Security Release, Full List of Changes, and https://www.bookstackapp.com/docs/admin/updates across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Addresses brute-force vulnerability in multi-factor authentication. Addresses brute-force vulnerability in multi-factor authentication. Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Security	Medium	Updates PHP packages and adds rate limiting to MFA verification routes. Updates PHP packages and adds rate limiting to MFA verification routes. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Updates PHP package versions to mitigate potential vulnerabilities. Updates PHP package versions to mitigate potential vulnerabilities. Source: granite4.1:30b@2026-05-21-audit Confidence: low	—

Full changelog

Security Release

This is a security release to address a brute-force based vulnerability related to multi-factor authentication, and to update project libraries to help avoid potential vulnerabilities that have been reported in those.

Upgrade is generally advised, but strongly so where multi-factor authentication is used & considered as a critical layer of defense.

Thanks to Stephen O. / Sakusen (Codeberg, Website) for responsibly reporting these issues.

Full List of Changes

Updated PHP package versions.
Updated MFA verification routes with rate limiting.

Security Fixes

Added rate limiting to MFA verification routes to mitigate brute-force attacks

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track BookStack

Get notified when new releases ship.

About BookStack

A platform to create documentation/wiki content built with PHP & Laravel

All releases →