This release includes security fixes for teams reviewing exposed deployments.
✓ No known CVEs patched in this version
Topics
Affected surfaces
Summary
AI summarySecurity patches applied to address reported vulnerabilities.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Contains security patches. Contains security patches. Source: granite4.1:30b@2026-05-30-audit Confidence: low |
— |
| Bugfix | Medium |
Fixes notifications. Fixes notifications. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Bugfix | Medium |
Ensures procurement request belongs to current team. Ensures procurement request belongs to current team. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Bugfix | Medium |
Enforces dedicated action for ownership transfer. Enforces dedicated action for ownership transfer. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Bugfix | Medium |
Marks 'patchable' field on users as patchable. Marks 'patchable' field on users as patchable. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Bugfix | Medium |
Enforces write permission on destroy action for tags. Enforces write permission on destroy action for tags. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Bugfix | Medium |
Guards user submodels with read permission check in API. Guards user submodels with read permission check in API. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Bugfix | Medium |
Avoids raw rendering for custom fields. Avoids raw rendering for custom fields. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Bugfix | Medium |
Fixes export CSV call. Fixes export CSV call. Source: llm_adapter@2026-05-30 Confidence: high |
— |
| Bugfix | Medium |
Restricts 'valid_until' to admin requesters. Restricts 'valid_until' to admin requesters. Source: llm_adapter@2026-05-30 Confidence: low |
— |
| Refactor | Low |
Builds table sort controls with DOM APIs. Builds table sort controls with DOM APIs. Source: llm_adapter@2026-05-30 Confidence: high |
— |
Full changelog
This release contains security patches.
Note: security issues are only impacting you if your authenticated users are hackers ;)
Note: the development team wishes to thank all security researchers that reported their findings responsibly.
a215a3c68 compounds: fix export csv call (#6878)
aab1880a4 bug/minor: restrict 'valid_until' to admin requesters (#6868)
4e52854b4 bug/minor: fix notifications (#6867)
a8c536fe3 bug/minor: ensure procurement request belongs to current team (#6842)
5290eecb6 bug/medium: ownership: enforce dedicated action for ownership transfer (#6860)
95d27a80b bug/medium: users: patchable field (#6857)
d494baf3e bug/minor: tags: enforce write permission on destroy action (#6858)
2f3830825 bug/medium: api: guard user submodels with read permission check (#6865)
d1243a619 bug/minor: avoid raw rendering for custom fields (#6875)
f6fdfcb44 refactor: build table sort controls with DOM APIs (#6872)
Full Changelog: https://github.com/elabftw/elabftw/compare/5.5.12...5.5.13
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About eLabFTW
Online lab notebook for research labs. Store experiments, use a database to find reagents or protocols, use trusted timestamping to legally timestamp an experiment, export as pdf or zip archive, share with collaborators….
Beta — feedback welcome: [email protected]