Skip to content

CrossWatch

v0.9.21 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 4d Media Servers
βœ“ No known CVEs patched
Read the diff β†’ Tool health β†’ What is this tool? β†’
This release patches 5 known CVEs

Topics

anilist emby jellyfin mdblist media-sync media-synchronisation
+8 more
plex plex-media-server simkl tautulli tmdb trakt watcher webhook

Affected surfaces

auth

ReleasePort's take

Moderate signal
editorial:auto 4d

/api/app-auth/status no longer leaks active session metadata to unauthenticated clients; the endpoint now blocks enumeration of IP addresses, User‑Agent strings, internal IDs, and timestamps.

Why it matters: Unauthenticated callers can no longer retrieve sensitive session details (IP, UA, IDs, timestamps) from /api/app-auth/status, reducing information disclosure risk for all deployments using this API surface.

Summary

AI summary

Updates ✨ Highlights, πŸ”’ Security, and πŸ”§ Fixes & Improvements across a mixed release.

Changes in this release

Security Critical

/api/app-auth/status no longer exposes active session metadata to unauthenticated clients.

/api/app-auth/status no longer exposes active session metadata to unauthenticated clients.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Security Critical

Unauthenticated clients can no longer enumerate session IP addresses, User-Agent strings, internal session IDs, or timestamps.

Unauthenticated clients can no longer enumerate session IP addresses, User-Agent strings, internal session IDs, or timestamps.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Security High

`POST /api/maintenance/reset-all-default` is no longer reachable via unauthenticated setup-lock bypass.

`POST /api/maintenance/reset-all-default` is no longer reachable via unauthenticated setup-lock bypass.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Security High

Legacy clean-reset recovery now requires setup credentials before execution.

Legacy clean-reset recovery now requires setup credentials before execution.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Security High

/api/config/meta responses no longer include local filesystem details such as config path, size, or modification time for unauthenticated clients.

/api/config/meta responses no longer include local filesystem details such as config path, size, or modification time for unauthenticated clients.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Feature Medium

Added Recent Activity dashboard widget for recently scrobbled movies and episodes.

Added Recent Activity dashboard widget for recently scrobbled movies and episodes.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Feature Medium

Added β€œView all” activity history with search and filters.

Added β€œView all” activity history with search and filters.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Feature Medium

Added activity method labels indicating source (Watcher, Webhook) or failure.

Added activity method labels indicating source (Watcher, Webhook) or failure.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Feature Medium

Added provider/profile details in full activity history view for multi-profile auditing.

Added provider/profile details in full activity history view for multi-profile auditing.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Feature Medium

Added UI setting to toggle display of Recent Activity (default enabled).

Added UI setting to toggle display of Recent Activity (default enabled).

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Feature Low

Added UI settings to choose number of Recent Activity and Recent Sync rows on the dashboard.

Added UI settings to choose number of Recent Activity and Recent Sync rows on the dashboard.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low

 β€”
Feature Low

Added maintenance action for clearing the local activity log.

Added maintenance action for clearing the local activity log.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low

 β€”
Feature Low

Added MDBList Device Code authentication as the preferred connection method.

Added MDBList Device Code authentication as the preferred connection method.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low

 β€”
Full changelog

CrossWatch v0.9.21

Because security is a top priority for CrossWatch, this release is being released earlier than planned to address an issue in the authentication status endpoint. It also adds Recent Activity and new authentication method for MDBList Device Code authentication this is the new default.

✨ Highlights

  • Added: Recent Activity dashboard widget for recently scrobbled movies and episodes.
  • Added: β€œView all” activity history with search and filters.
  • Added: Activity method labels so entries show whether they came from Watcher, Webhook, or failed activity.
  • Added: Provider/profile details in the full activity history view to make multi-profile setups easier to audit.
  • Added: UI setting to show or hide Recent Activity. Default is enabled.
  • Added: UI settings to choose how many Recent Activity and Recent Sync rows appear on the dashboard.
  • Added: Maintenance action for clearing the local activity log.
  • Added: MDBList Device Code authentication as the preferred connection method.
  • Added: MDBList API key mode remains available for existing and legacy setups.

πŸ”’ Security

  • Fixed: /api/app-auth/status no longer exposes active session metadata to unauthenticated clients.
  • Fixed: Unauthenticated clients can no longer enumerate session IP addresses, User-Agent strings, internal session IDs, or session timestamps.
  • Hardened: POST /api/maintenance/reset-all-default is no longer reachable through an unauthenticated setup-lock bypass.
  • Hardened: Legacy clean-reset recovery now requires setup credentials first, then runs through an authenticated session.
  • Hardened: Unauthenticated /api/config/meta responses no longer include local filesystem details such as config path, file size, or modification time.

πŸ”§ Fixes & Improvements

  • Changed: Updated the version to v0.9.21.

Security Fixes

  • Fixed: `/api/app-auth/status` no longer exposes active session metadata to unauthenticated clients.
  • Fixed: Unauthenticated clients can no longer enumerate session IP addresses, User-Agent strings, internal session IDs, or timestamps.
  • Hardened: `POST /api/maintenance/reset-all-default` is no longer reachable via an unauthenticated setup‑lock bypass.
  • Hardened: Legacy clean‑reset recovery now requires setup credentials before execution.
  • Hardened: Unauthenticated `/api/config/meta` responses omit local filesystem details (config path, file size, modification time).
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track CrossWatch

Get notified when new releases ship.

Sign up free

About CrossWatch

Sync media watch statuses across platforms

All releases β†’

Related context

Beta — feedback welcome: [email protected]