This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
+13 more
Affected surfaces
ReleasePort's take
Moderate signalThe v2.0.1 release fixes an HTML Injection vulnerability in API token handling and corrects several OAuth‑related parsing bugs.
Why it matters: Patch to v2.0.1 immediately because the high‑severity (CVSS 7.5) HTML injection flaw could allow attackers to inject malicious scripts via API tokens; also apply the OAuth scope, state, and logging fixes.
Summary
AI summarySecurity improvements addressing multiple vulnerabilities across DG26-4, DG26-10, and DG26-9.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
HTML Injection vulnerability in API tokens fixed HTML Injection vulnerability in API tokens fixed Source: llm_adapter@2026-05-22 Confidence: low |
— |
| Feature | Medium |
Group endpoint OpenAPI documentation updated Group endpoint OpenAPI documentation updated Source: llm_adapter@2026-05-22 Confidence: low |
— |
| Dependency | Medium |
Updated openssl crate version Updated openssl crate version Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Performance | Medium |
Improved client IP address detection Improved client IP address detection Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Deprecation | Medium |
Business features now require free registration Business features now require free registration Source: llm_adapter@2026-05-22 Confidence: low |
— |
| Bugfix | Medium |
Incorrect OAuth scope parsing fixed Incorrect OAuth scope parsing fixed Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Bugfix | Medium |
Gateway setup missing server-side data validation added Gateway setup missing server-side data validation added Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Bugfix | Medium |
OAuth state parameter parsing conforms to RFC-6749 OAuth state parameter parsing conforms to RFC-6749 Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Bugfix | Medium |
Activity log now records misuse of recovery code Activity log now records misuse of recovery code Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Bugfix | Medium |
Prevent deletion of groups used in locations Prevent deletion of groups used in locations Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Bugfix | Medium |
Destination/aliases list fix applied Destination/aliases list fix applied Source: llm_adapter@2026-05-22 Confidence: low |
— |
| Refactor | Medium |
Migrated empty allowed groups from 1.6.x to new version Migrated empty allowed groups from 1.6.x to new version Source: llm_adapter@2026-05-22 Confidence: low |
— |
Full changelog
This is a patch for the major 2.0 release. It includes security improvements identified through our regular penetration testing activities, as well as fixes for issues reported by early adopters.
Learn more about the latest penetration testing report on our website.
The 2.0 was a significant step up from version 1.x, featuring:
🎨 a completely redesigned UI,
📦 a new and easy deployment approach (and component communication security),
🛠️ and some other major architectural changes.
More details with videos in this blogpost.
⬆︎ If you will be upgrading from 1.x - here you can find relevant documentation about the upgrade.
🚅 If you would like to test Defguard - we offer a quick and easy One-line install script.
⚠️ Business features require free registration.
Previously, these features were available without registration (within certain limits).
Starting from 2.0, a free Business license registration is required to use them.
👉 https://defguard.net/get-free-business/
Once registered, simply apply your license to your instance and enjoy access to Business functionality.
We want to get as much feedback as possible, so we encourage you to:
💬 open a GitHub discussion
🪲 report any missing features or bugs as issues
What's Changed
- DG26-4: Extending the number of locations by @jakub-tldr in https://github.com/DefGuard/defguard/pull/2849
- DG26-10: API key creation inconsistency by @jakub-tldr in https://github.com/DefGuard/defguard/pull/2850
- DG26-9: Activity log does not log misuse of recovery code by @jakub-tldr in https://github.com/DefGuard/defguard/pull/2851
- DG26-6: Incorrect scope parsing in oAuth applications by @wojcik91 in https://github.com/DefGuard/defguard/pull/2856
- DG26-11: Gateway setup - Lack of server-side data validation by @wojcik91 in https://github.com/DefGuard/defguard/pull/2857
- DG26-7: oAuth state parameter parsing violates RFC-6749 by @wojcik91 in https://github.com/DefGuard/defguard/pull/2886
- DG26-8: HTML Injection - API tokens by @jakub-tldr in https://github.com/DefGuard/defguard/pull/2887
- Update group endpoint OpenAPI documentation by @jakub-tldr in https://github.com/DefGuard/defguard/pull/2890
- Fix destination/aliases list by @jakub-tldr in https://github.com/DefGuard/defguard/pull/2895
- Better client IP address detection by @moubctez in https://github.com/DefGuard/defguard/pull/2897
- Migrate empty allowed groups from 1.6.x by @jakub-tldr in https://github.com/DefGuard/defguard/pull/2902
- Prevent deleting groups used in locations by @jakub-tldr in https://github.com/DefGuard/defguard/pull/2908
- update openssl crate by @wojcik91 in https://github.com/DefGuard/defguard/pull/2957
Full Changelog: https://github.com/DefGuard/defguard/compare/v2.0.0...v2.0.1
Security Fixes
- DG26-4: Fixed inconsistency in API key creation process.
- DG26-10: Corrected misuse logging of recovery codes in the activity log.
- DG26-9: Resolved HTML injection vulnerability affecting API tokens.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Beta — feedback welcome: [email protected]