This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+1 more
Affected surfaces
Summary
AI summaryBroad release touches Bug Fixes, Major Enhancements, https://eclipse.dev/che/docs/stable/administration-guide/monitoring-che/, and https://github.com/devfile/devworkspace-operator/blob/0.41.x/CHANGELOG.md.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Configures maxResponseBodySize for Traefik ForwardAuth middleware, preventing DoS/memory‑exhaustion from unlimited responses. Configures maxResponseBodySize for Traefik ForwardAuth middleware, preventing DoS/memory‑exhaustion from unlimited responses. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Feature | Medium |
Dashboard shows a modal warning 60 seconds before OAuth session expiry with countdown options. Dashboard shows a modal warning 60 seconds before OAuth session expiry with countdown options. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Feature | Medium |
Gateway plugin introduces new authentication methods and UI for switching between them. Gateway plugin introduces new authentication methods and UI for switching between them. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Feature | Medium |
Automatically sets up Prometheus ServiceMonitor, RBAC, and monitoring labels for Che Server and DevWorkspace Operator. Automatically sets up Prometheus ServiceMonitor, RBAC, and monitoring labels for Che Server and DevWorkspace Operator. Source: llm_adapter@2026-05-26 Confidence: low |
— |
| Feature | Low |
Automatically creates ServiceMonitor objects for Che Server and DevWorkspace Operator. Automatically creates ServiceMonitor objects for Che Server and DevWorkspace Operator. Source: granite4.1:30b@2026-05-26-audit Confidence: low |
— |
| Feature | Low |
Creates RBAC (Role + RoleBinding) granting prometheus-k8s access to scrape metrics endpoints. Creates RBAC (Role + RoleBinding) granting prometheus-k8s access to scrape metrics endpoints. Source: granite4.1:30b@2026-05-26-audit Confidence: low |
— |
| Feature | Low |
Adds openshift.io/cluster-monitoring: "true" label on operator namespace for OpenShift monitoring discovery. Adds openshift.io/cluster-monitoring: "true" label on operator namespace for OpenShift monitoring discovery. Source: granite4.1:30b@2026-05-26-audit Confidence: low |
— |
| Bugfix | Medium |
Disables Save button on GitConfig tab when name or email fields are empty, preventing invalid gitconfig saves. Disables Save button on GitConfig tab when name or email fields are empty, preventing invalid gitconfig saves. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Bugfix | Medium |
Automatically reconnects IDE to workspace after "Restart from local Devfile" command. Automatically reconnects IDE to workspace after "Restart from local Devfile" command. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Bugfix | Low |
Resolves multiple accessibility issues on the User Dashboard (ARIA attributes, list structure, error suggestions, nested controls). Resolves multiple accessibility issues on the User Dashboard (ARIA attributes, list structure, error suggestions, nested controls). Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Refactor | Low |
Removes redundant multiuser modules from che-server, reducing build time and binary size. Removes redundant multiuser modules from che-server, reducing build time and binary size. Source: llm_adapter@2026-05-26 Confidence: high |
— |
Full changelog
Major Enhancements
Automated Prometheus resource setup for Che Server and DevWorkspace Operator
Eclipse Che now automatically sets up the required Prometheus resources for metrics collection, removing the need for manual configuration. The operator creates:
ServiceMonitorobjects for both the Che Server (che-host) and the DevWorkspace Operator (devworkspace-controller)- RBAC (
Role+RoleBinding) granting theprometheus-k8sservice account access to scrape metrics endpoints - The
openshift.io/cluster-monitoring: "true"label on the operator namespace, enabling OpenShift's built-in monitoring stack to discover the ServiceMonitors automatically
See the Monitoring Che and Monitoring the DevWorkspace Operator sections from the official documentation for more details about monitoring Eclipse Che.
DevWorkspace Operator 0.41.0
DevWorkspace Operator 0.41.0 is now available, adding new functionality to Eclipse Che. For more information, see the changelog.
Session timeout warning modal
The Dashboard now warns users before their OAuth session expires. Previously, idle sessions would time out silently, causing an abrupt redirect to the login page and potential loss of unsaved form data. A new modal appears 60 seconds before session expiry with a live countdown, offering options to extend the session or sign out immediately. The session timeout value is read from the CheCluster CR's cookieExpireSeconds configuration.
Use a URI handler to establish a connection for the local/remote (SSH) support
Automatically open a vscode://redhat.devspaces-remote-ssh URI that will be handled by an active Code based editor with "Dev Spaces Local/Remote Support - SSH" (redhat.devspaces-remote-ssh) extension installed.
Simplify logging into an a cluster for Gateway plugin
Introduce new authentication methods and create new UI to easily switch between them.
Bug Fixes
Configure maxResponseBodySize for Traefik ForwardAuth middleware
The Traefik ForwardAuth middleware now has maxResponseBodySize configured, eliminating a warning about unlimited response body size that could lead to DoS attacks and memory exhaustion.
Gitconfig form and "Import Git Configuration" are inconsistent
The Save button on the User Preferences GitConfig tab is now correctly disabled when the name or email field is empty, preventing users from saving invalid gitconfig data.
Remove redundant multiuser modules from che-server
The multiuser directory has been removed from the che-server repository. Since che-server is only used for SCM integration and workspace provisioning, these modules were unnecessary and were increasing build times and binary size.
Multiple accessibility issues on the User Dashboard are now resolved
The following accessibility improvements are included in this release:
- Interactive controls are nested in sample cards on "Create Workspace" page
- Invalid ARIA Attribute on Workspace Status Indicator in User Dashboard
- Invalid List Structure in Navigation of User Dashboard
- Error suggestion fields are not complete in User preferences and Create Workspace pages
- Interactive controls are nested in "User Preferences > Container Registries > Add Container Registry" modal
Restart from local Devfile should automatically reconnect to the restarted workspace
When calling the Restart from local Devfile command, the Gateway plugin takes focus and the workspace can be seen restarting. Once started the IDE should automatically be opened against the workspace.
Security Fixes
- Traefik ForwardAuth middleware now has `maxResponseBodySize` configured, preventing unlimited response body size warnings that could lead to DoS/memory exhaustion
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Beta — feedback welcome: [email protected]