This release includes 5 security fixes for security teams reviewing exposed deployments.
Topics
+12 more
Affected surfaces
Summary
AI summaryFixed numerous reliability issues across reports, notifications, email, CSAT, CSV exports, portals, widgets, TikTok, and Slack integrations.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Security: webhook validation, SSRF hardening, safer uploads, SAML fixes, and admin auth checks. Security: webhook validation, SSRF hardening, safer uploads, SAML fixes, and admin auth checks. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Low |
Companies: creation, details, notes, history, labels, and activity tracking. Companies: creation, details, notes, history, labels, and activity tracking. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Low |
Help Center: bulk actions, AI translation, URL embeds, and category-based article creation. Help Center: bulk actions, AI translation, URL embeds, and category-based article creation. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Low |
Captain/AI: document sync, FAQ improvements, handoff classification, and config refresh fixes. Captain/AI: document sync, FAQ improvements, handoff classification, and config refresh fixes. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Low |
Inbox UX: expanded chat list, bulk actions, attachments, quoted replies, and conversation IDs. Inbox UX: expanded chat list, bulk actions, attachments, quoted replies, and conversation IDs. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Low |
Integrations: Linear issue linking, template previews, WhatsApp campaign variables, and IMAP auth options. Integrations: Linear issue linking, template previews, WhatsApp campaign variables, and IMAP auth options. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Low |
Voice: ground work for WhatsApp/Twilio calling, inbound calls, recordings, and call join support. Voice: ground work for WhatsApp/Twilio calling, inbound calls, recordings, and call join support. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Bugfix | Low |
Reliability: fixes across reports, notifications, email, CSAT, CSV, portals, widgets, TikTok, and Slack. Reliability: fixes across reports, notifications, email, CSAT, CSV, portals, widgets, TikTok, and Slack. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
Full changelog
ChangeLog
- Companies: creation, details, notes, history, labels, and activity tracking.
- Help Center: bulk actions, AI translation, URL embeds, and category-based article creation.
- Captain/AI: document sync, FAQ improvements, handoff classification, and config refresh fixes.
- Inbox UX: expanded chat list, bulk actions, attachments, quoted replies, and conversation IDs.
- Integrations: Linear issue linking, template previews, WhatsApp campaign variables, and IMAP auth options.
- Voice: ground work for WhatsApp/Twilio calling, inbound calls, recordings, and call join support.
- Security: webhook validation, SSRF hardening, safer uploads, SAML fixes, and admin auth checks.
- Reliability: fixes across reports, notifications, email, CSAT, CSV, portals, widgets, TikTok, and Slack.
Thanks to @55728, @ajith-k-v, @alwahib, @bfontaine, @Chesars, @gbarany, @joaocps, @ko-vasilev, @linbaublys, @Lomuzord, @Mrsandeep27, @nooty, @ramalau0, @RenatoAscencio, @salmonumbrella, @SapotaDA, @tony2tones for the contributions.
Security Fixes
- Webhook validation improvements
- SSRF hardening
- Safer uploads
- SAML fixes
- Admin authentication checks
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About chatwoot
Open-source live-chat, email support, omni-channel desk. An alternative to Intercom, Zendesk, Salesforce Service Cloud etc.
Beta — feedback welcome: [email protected]