This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
Affected surfaces
Summary
AI summaryFix SQL injection in actor inbox URL, reject malicious JSON‑LD objects, restrict role assignments to admins.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Fix SQL injection from actor inbox URL during follow score updates. Fix SQL injection from actor inbox URL during follow score updates. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Security | Medium |
Reject JSON-LD objects with special properties. Reject JSON-LD objects with special properties. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Security | Medium |
Prevent external auth token replay attacks. Prevent external auth token replay attacks. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Security | Medium |
Prevent SSRF on import and channel sync operations. Prevent SSRF on import and channel sync operations. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Breaking | Medium |
Restricts role assignment to administrators only. Restricts role assignment to administrators only. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Feature | Medium |
Stricter rate limit for password reset requests. Stricter rate limit for password reset requests. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
Full changelog
IMPORTANT NOTES
- Follow v8.1.0 IMPORTANT NOTES if you upgrade from PeerTube <= v8.0.2
SECURITY
- Fix SQL injection coming from actor inbox URL when updating actor follow scores. Thanks to Nagarajan Selvaraj Paulmony for reporting this vulnerability :pray:
- Reject JSON-LD objects with special properties. Thanks to Mastodon security team for reporting this vulnerability :pray:
- Restricts role assignment to administrators only
- Prevent external auth token replay
- Prevent SSRF on import and channel sync
- Stricter rate limit to ask password reset
Security Fixes
- Fix SQL injection in actor inbox URL when updating actor follow scores
- Reject JSON-LD objects with special properties
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About PeerTube
ActivityPub-federated video streaming platform using P2P directly in your web browser
Related context
Related tools
Beta — feedback welcome: [email protected]