Skip to content

countly-server

v24.05.50 Security

This release includes 24 security fixes for security teams reviewing exposed deployments.

Published 15d Data Warehouses & Analytics
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 24 known CVEs

Topics

ai analytics coppa crash-analytics customer-engagement web
+14 more
data-ownership data-privacy digital-analytics feature-flags gdpr hipaa insights mobile-analytics push-notifications remote-configuration tracking user-feedback user-journeys web-analytics

Affected surfaces

auth rbac rce_ssrf breaking_upgrade

Summary

AI summary

Hardening pass adds token‑login session regeneration, endpoint removals, aggregation stage blocks, SSRF protections, schema validations, mass‑assignment allowlists, and XSS fixes.

Changes in this release

Security Medium

Restrict /login/token/:token to login-purpose tokens; regenerate session id on token login

Restrict /login/token/:token to login-purpose tokens; regenerate session id on token login

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Require auth + per-widget app permission on /o/dashboards/test; remove unused endpoint

Require auth + per-widget app permission on /o/dashboards/test; remove unused endpoint

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Identical response for missing/inaccessible dashboard (no enumeration)

Identical response for missing/inaccessible dashboard (no enumeration)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Block $graphLookup aggregation stage in dbviewer (cross-collection data exfiltration)

Block $graphLookup aggregation stage in dbviewer (cross-collection data exfiltration)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Apply SSRF protection to app.redirect_url outbound requests

Apply SSRF protection to app.redirect_url outbound requests

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Authorize /i/tasks/{update,delete,name,edit} per task ownership / app admin / global admin

Authorize /i/tasks/{update,delete,name,edit} per task ownership / app admin / global admin

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Authorize /o/export/download by task ownership / app_id

Authorize /o/export/download by task ownership / app_id

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Bind notes to permission-checked app_id; check edit permissions against stored app_id

Bind notes to permission-checked app_id; check edit permissions against stored app_id

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Enforce saveNote schema validation

Enforce saveNote schema validation

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Replace updateApp/createApp mass-assignment with explicit field allowlist

Replace updateApp/createApp mass-assignment with explicit field allowlist

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Whitelist updatable fields on create/update; scope reads by app_id in event_groups

Whitelist updatable fields on create/update; scope reads by app_id in event_groups

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Sanitize user.picture filename before deletion (path traversal)

Sanitize user.picture filename before deletion (path traversal)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Scope export download/delete to caller's app_id; reject path-traversal in filenames for app_users

Scope export download/delete to caller's app_id; reject path-traversal in filenames for app_users

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Strip dangerous Mongo operators ($where, $expr, $function, $accumulator) from user-supplied queries (logger, compliance-hub)

Strip dangerous Mongo operators ($where, $expr, $function, $accumulator) from user-supplied queries (logger, compliance-hub)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Bind push message routes to query-string app_id (cross-app push injection)

Bind push message routes to query-string app_id (cross-app push injection)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Validate alertConfig.selectedApps against caller's permissions (cross-app metric exfiltration)

Validate alertConfig.selectedApps against caller's permissions (cross-app metric exfiltration)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Escape regex metacharacters in sSearch parameters (ReDoS)

Escape regex metacharacters in sSearch parameters (ReDoS)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

/users/check/username now requires global admin (parity with email check)

/users/check/username now requires global admin (parity with email check)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

/i/cms/save_entries, /o/system/plugins, /i/systemlogs restricted to global admins (cms, system, systemlogs)

/i/cms/save_entries, /o/system/plugins, /i/systemlogs restricted to global admins (cms, system, systemlogs)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Replace OTP-equality recaptcha bypass with twoFactorPassed session flag

Replace OTP-equality recaptcha bypass with twoFactorPassed session flag

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Generate new-member invite prid with crypto.randomBytes (replace predictable HMAC)

Generate new-member invite prid with crypto.randomBytes (replace predictable HMAC)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Remove noescape query-string bypass on returnOutput (reflected XSS via parameter)

Remove noescape query-string bypass on returnOutput (reflected XSS via parameter)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Handle req.session.regenerate error in token login

Handle req.session.regenerate error in token login

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Security Medium

Return 404 when event_groups lookup misses (not 500)

Return 404 when event_groups lookup misses (not 500)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Close stored XSS in feedback widget logo upload/preview; restrict uploads to image MIME types and validate magic bytes

Close stored XSS in feedback widget logo upload/preview; restrict uploads to image MIME types and validate magic bytes

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Defense-in-depth on image upload/serve routes (star-rating)

Defense-in-depth on image upload/serve routes (star-rating)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Constrain export/import paths to allowed directories; reject path-traversal in target_path, multipart filenames, and exportid

Constrain export/import paths to allowed directories; reject path-traversal in target_path, multipart filenames, and exportid

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Reject path-traversal in admin log file paths (errorlogs)

Reject path-traversal in admin log file paths (errorlogs)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Harden streamed responses with error handlers (system-utility)

Harden streamed responses with error handlers (system-utility)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Add error handlers to crash report streamed responses (crashes)

Add error handlers to crash report streamed responses (crashes)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Full changelog

Security Fixes (backport of #7535 — bug-bounty-style hardening pass):

  • [auth] Restrict /login/token/:token to login-purpose tokens; regenerate session id on token login to close fixation
  • [dashboards] Require auth + per-widget app permission on /o/dashboards/test; remove the unused endpoint
  • [dashboards] Identical response for missing/inaccessible dashboard (no enumeration)
  • [dbviewer] Block $graphLookup aggregation stage (cross-collection data exfiltration)
  • [redirect] Apply SSRF protection (api/utils/ssrf-protection.js) to app.redirect_url outbound requests
  • [tasks] Authorize /i/tasks/{update,delete,name,edit} per task ownership / app admin / global admin
  • [exports] Authorize /o/export/download by task ownership / app_id
  • [notes] Bind notes to permission-checked app_id; check edit permissions against the note's stored app_id
  • [notes] Enforce saveNote schema validation
  • [apps] Replace updateApp/createApp mass-assignment with explicit field allowlist
  • [event_groups] Whitelist updatable fields on create/update; scope reads by app_id
  • [app_users] Sanitize user.picture filename before deletion (path traversal)
  • [app_users] Scope export download/delete to caller's app_id; reject path-traversal in filenames
  • [app_users / logger / compliance-hub] Strip dangerous Mongo operators ($where, $expr, $function, $accumulator) from user-supplied queries
  • [push] Bind message create/test/update/one/remove/toggle to query-string app_id (cross-app push injection)
  • [alerts] Validate alertConfig.selectedApps against caller's permissions (cross-app metric exfiltration)
  • [data] Escape regex metacharacters in sSearch parameters (ReDoS)
  • [users] /users/check/username now requires global admin (parity with email check)
  • [cms / system / systemlogs] /i/cms/save_entries, /o/system/plugins, /i/systemlogs restricted to global admins
  • [auth] Replace OTP-equality recaptcha bypass with twoFactorPassed session flag
  • [auth] Generate new-member invite prid with crypto.randomBytes (replace predictable HMAC)
  • [output] Remove noescape query-string bypass on returnOutput (reflected-XSS via parameter)
  • [auth] Handle req.session.regenerate error in token login
  • [data] Return 404 (not 500) when event_groups lookup misses

24.05-specific notes (some master fixes were not directly applicable):

  • C-1 ($graphLookup) and M-11 (dbviewer non-admin filter scope): master uses a whiteListedAggregationStages mechanism (added by SER-2122) and a getBaseAppFilter per-collection app-id mechanism that 24.05 does not have. C-1 is implemented as a minimal targeted block; M-11 is not applicable here. A broader 24.05 dbviewer hardening (porting SER-2122 + filter scope + M-11) is left for a separate change.
  • M-14 (--disable-web-security): the flag was never present in 24.05's puppeteer args, so the master fix is a no-op; only an explanatory comment was added.
  • L-7 (drop wildcard CORS from reports preview/pdf): intentionally not backported — the wildcard is needed for puppeteer PDF rendering against data: URL documents (sub-resource fetches). Same decision as on master where the L-7 fix was reverted.

Fixes:

  • [star-rating] Close stored XSS in feedback widget logo upload/preview; restrict uploads to image MIME types and validate magic bytes (backport of #7532)
  • [star-rating] Defense-in-depth on image upload/serve routes
  • [data_migration] Constrain export/import paths to allowed directories; reject path-traversal in target_path, multipart filenames, and exportid (backport of #7491)
  • [errorlogs] Reject path-traversal in admin log file paths
  • [system-utility] Harden streamed responses with error handlers
  • [crashes] Add error handlers to crash report streamed responses
  • [exports] Add stream error handlers to export download
  • [reports] Add stream error handlers
  • [dashboards] Constrain public screenshot route paths and stream error handling
  • [core] Add common.resolvePathInBase helper for safe path containment checks

Breaking Changes

  • [dashboards] Remove the unused endpoint `/o/dashboards/test`
  • [auth] Regenerate session ID on token login (`/login/token/:token`) to close fixation

Security Fixes

  • [auth] Restrict `/login/token/:token` to login‑purpose tokens and regenerate session ID (CVE not listed)
  • [dashboards] Require auth + per‑widget app permission on previously unused endpoint (removal noted in breaking_changes)
  • [dbviewer] Block `$graphLookup` aggregation stage (cross‑collection data exfiltration)
  • [redirect] Apply SSRF protection to `app.redirect_url` outbound requests
  • [tasks] Authorize `/i/tasks/{update,delete,name,edit}` per task ownership / app admin / global admin
  • [exports] Authorize `/o/export/download` by task ownership / app_id
  • [notes] Bind notes to permission‑checked `app_id` and enforce `saveNote` schema validation
  • [apps] Replace mass‑assignment with explicit field allowlist on updateApp/createApp
  • [event_groups] Whitelist updatable fields and scope reads by `app_id`
  • [app_users] Sanitize `user.picture` filename before deletion (path traversal)
  • [app_users] Scope export download/delete to caller's `app_id`; reject path‑traversal in filenames
  • [app_users / logger / compliance-hub] Strip dangerous Mongo operators (`$where`, `$expr`, `$function`, `$accumulator`) from user‑supplied queries
  • [push] Bind message routes to query‑string `app_id` (cross‑app push injection)
  • [alerts] Validate `alertConfig.selectedApps` against caller's permissions (cross‑app metric exfiltration)
  • [data] Escape regex metacharacters in `sSearch` parameters (ReDoS)
  • [users] `/users/check/username` now requires global admin
  • [cms / system / systemlogs] Restrict `/i/cms/save_entries`, `/o/system/plugins`, `/i/systemlogs` to global admins
  • [auth] Replace OTP‑equality recaptcha bypass with `twoFactorPassed` session flag
  • [auth] Generate new‑member invite `prid` with `crypto.randomBytes` (replace predictable HMAC)
  • [output] Remove `noescape` query‑string bypass on `returnOutput` (reflected XSS)
  • [star-rating] Close stored XSS in feedback widget logo upload/preview; restrict uploads to image MIME types and validate magic bytes
  • [data_migration] Constrain export/import paths to allowed directories; reject path‑traversal
  • [errorlogs] Reject path‑traversal in admin log file paths
  • [system-utility / crashes / exports / reports / dashboards / core] Add stream error handlers for robustness
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track countly-server

Get notified when new releases ship.

Sign up free

About countly-server

Countly is a privacy-first, AI-powered analytics and engagement platform for understanding and optimizing customer journeys across digital applications, from desktop and mobile to IoT and connected environments.

All releases →

Related context

Beta — feedback welcome: [email protected]