Concourse

v8.2.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 7d Pipelines

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ci-cd concourse containers elm go pipelines

+1 more

runc

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 7d

The release fixes an open redirect vulnerability by unescaping the redirect URI before parsing.

Why it matters: CVE GHSA-8w27-c4vc-88q9 (severity 90) resolves an open‑redirect flaw; deploy v8.2.3 to mitigate this high‑risk issue.

Summary

AI summary

Updates 📦 Bundled Resource Types, 🐞 Bug Fixes, and bosh-io-release across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes open redirect vulnerability CVE GHSA-8w27-c4vc-88q9 by unescaping the redirect URI before parsing. Fixes open redirect vulnerability CVE GHSA-8w27-c4vc-88q9 by unescaping the redirect URI before parsing. Source: llm_adapter@2026-05-27 Confidence: high	—
Dependency	Low	Updates bundled resource types to latest versions: bosh-io-release v1.3.4, bosh-io-stemcell v1.5.4, docker-image v1.13.1, git v1.22.3, github-release v1.14.0, hg v1.5.4, mock v0.14.5, pool v1.8.1, registry-image v1.17.0, s3 v2.5.4, semver v2.0.1, time v1.11.3. Updates bundled resource types to latest versions: bosh-io-release v1.3.4, bosh-io-stemcell v1.5.4, docker-image v1.13.1, git v1.22.3, github-release v1.14.0, hg v1.5.4, mock v0.14.5, pool v1.8.1, registry-image v1.17.0, s3 v2.5.4, semver v2.0.1, time v1.11.3. Source: llm_adapter@2026-05-27 Confidence: high	—

Full changelog

What's Changed

🐞 Bug Fixes

unescape the redirect uri before further parsing it by @taylorsilva in https://github.com/concourse/concourse/pull/9587
- Resolves open redirect CVE https://github.com/concourse/concourse/security/advisories/GHSA-8w27-c4vc-88q9

📦 Bundled Resource Types

bosh-io-release: v1.3.4
bosh-io-stemcell: v1.5.4
docker-image: v1.13.1
git: v1.22.3
github-release: v1.14.0
hg: v1.5.4
mock: v0.14.5
pool: v1.8.1
registry-image: v1.17.0
s3: v2.5.4
semver: v2.0.1
time: v1.11.3

Full Changelog: https://github.com/concourse/concourse/compare/v8.2.2...v8.2.3

Security Fixes

GHSA-8w27-c4vc-88q9 — open redirect vulnerability fixed by unescaping the redirect URI before parsing.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Concourse

Get notified when new releases ship.

About Concourse

Concourse is a container-based automation system written in Go. It's mostly used for CI/CD.

All releases →