Flagsmith

v2.238.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

ci-cd docker feature-flag feature-flaggers feature-flagging feature-flags

+9 more

feature-management feature-toggles flagsmith multivariate-testing python react remote-config remote-control self-hosted

Affected surfaces

deps

ReleasePort's take

Moderate signal

editorial:auto 2d

This release hardens CI security by eliminating SSRF risks in webhooks and upgrading the ws dependency to address CVE-2026-45736.

Why it matters: Prevents server‑side request forgery attacks in webhook flows; upgrades ws to fix high‑severity CVE‑2026‑45736 (CVSS 9.0).

Summary

AI summary

Updates CI, 2.238.0, and Bug Fixes across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Prevents SSRF vulnerabilities in webhooks and webhook tests. Prevents SSRF vulnerabilities in webhooks and webhook tests. Source: llm_adapter@2026-06-01 Confidence: high	—
Security	Critical	Upgrades ws dependency to fix CVE-2026-45736. Upgrades ws dependency to fix CVE-2026-45736. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature
Feature	Low	Adds unique event names from ClickHouse to experimentation. Adds unique event names from ClickHouse to experimentation. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Low	Improves experiments user experience. Improves experiments user experience. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Low	Uses backend type filter for multivariate features in experiments. Uses backend type filter for multivariate features in experiments. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Low	Uses native OpenAPI tool fields and consolidates private dependencies in MCP. Uses native OpenAPI tool fields and consolidates private dependencies in MCP. Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix	Medium	Fixes stale GitLab issue/MR status in feature Links panel. Fixes stale GitLab issue/MR status in feature Links panel. Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix	Medium	Adds missing feature_segment field to versioning. Adds missing feature_segment field to versioning. Source: llm_adapter@2026-06-01 Confidence: high	—

Full changelog

2.238.0 (2026-06-01)

Features

experimentation: add unique event names from ClickHouse (#7660) (1ee9b7b)
experiments ux improvements (#7644) (755df22)
experiment: use backend type filter for multivariate features (#7630) (164d4bc)
MCP: Use native OpenAPI tool fields and consolidate private deps (#7656) (2c8cf0f)

Bug Fixes

feature_segment missing in versioning (#7618) (f5584c9)
GitLab: issue/MR status in the feature Links panel goes stale after state changes (#7545) (77f742e)
webhooks: Prevent SSRF in webhooks and webhook tests (#7550) (85b92fa)

Dependency Updates

node: upgrade ws transitive dependency to fix CVE-2026-45736 (#7634) (4de821d)

CI

renovate: Fix renovate config json & add linter to pre-commit hooks (#7657) (69c6dbf)
Replace Dependabot with Renovate (#7645) (5b4dff0)

Docs

add vulnerability response policy to support page (#7423) (d39aae7)
Consolidate PR collaboration guide to Flagsmith/AGENTS.md (#7646) (c1f40d8)
CVE vulnerability guidance (#7655) (89135fe)

Security Fixes

dep: CVE-2026-45736 — fixed by upgrading ws transitive dependency
Prevented SSRF in webhooks and webhook tests

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Flagsmith

Get notified when new releases ship.

About Flagsmith

Dashboard, API and SDKs for adding Feature Flags to your applications (alternative to LaunchDarkly).