This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+9 more
Affected surfaces
ReleasePort's take
Light signalFlagsmith v2.233.0 fixes CVE-2026-2391 in the qs dependency. The release adds segment operator flexibility, enhances ID resolution, and removes redundant API logout calls.
Why it matters: Update qs dependency immediately to patch CVE-2026-2391. New segment operators and API authentication changes warrant dev testing before production rollout.
Summary
AI summaryRemoved API logout call.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Fix CVE-2026-2391 in qs dependency Fix CVE-2026-2391 in qs dependency Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Allow any operator in segment top rule Allow any operator in segment top rule Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Add v1 versioning segment updates tools Add v1 versioning segment updates tools Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Use flag value to display SDK message Use flag value to display SDK message Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Add created_by field to MasterAPIKey model Add created_by field to MasterAPIKey model Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Add currency and frequency to ID resolution Add currency and frequency to ID resolution Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Remove duplicates from integration list in onboarding Remove duplicates from integration list in onboarding Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Fix button icon centering and hover disabled states Fix button icon centering and hover disabled states Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Remove unnecessary API logout call Remove unnecessary API logout call Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Deduplicate integration list in onboarding select Deduplicate integration list in onboarding select Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
Full changelog
2.233.0 (2026-05-12)
Features
- Add created_by to MasterAPIKey model (#6845) (2e3942b)
- added v1 versioning segment updates tools (#7489) (7a17c35)
- allow any operator in segment top rule (#7427) (53fc1bf)
- use flag value to display sdk message (#7458) (938b609)
Bug Fixes
- added currency and frequency in ids resolution (#7442) (e4651d1)
- button: centre icons natively, fix hover and disabled states (#7402) (90e92d9)
- dedupe integration list in onboarding select (#7445) (9d21ed6)
- removed api logout call (#7448) (bff665f)
Dependency Updates
- bump @babel/plugin-transform-modules-systemjs from 7.25.9 to 7.29.4 in /docs (#7466) (74d2a2a)
- bump @babel/plugin-transform-modules-systemjs from 7.29.0 to 7.29.4 in /frontend (#7465) (bf70fde)
- bump django from 5.2.13 to 5.2.14 in /api (#7462) (8907b18)
- bump fast-uri from 3.0.6 to 3.1.2 in /frontend (#7461) (e165fa6)
- bump fast-uri from 3.1.0 to 3.1.2 in /docs (#7459) (37f446b)
- bump lodash-es and langium in /docs (#7395) (9ea8890)
- bump mermaid from 11.12.3 to 11.15.0 in /docs (#7484) (1afa70d)
- bump postcss from 8.5.6 to 8.5.14 in /frontend (#7375) (86de803)
- bump requests from 2.32.5 to 2.33.0 in /api (#7376) (f9472da)
- bump urllib3 from 2.6.3 to 2.7.0 in /api (#7481) (fbb1052)
- docs: Bump qs to fix CVE-2026-2391 (#7479) (bc08f59)
CI
Docs
Breaking Changes
- Removed api logout call.
Security Fixes
- Dependency update: Bump qs to fix CVE-2026-2391
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Flagsmith
Dashboard, API and SDKs for adding Feature Flags to your applications (alternative to LaunchDarkly).
Related context
Related tools
Beta — feedback welcome: [email protected]