DeepTutor

v1.4.1 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 7d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 4 known CVEs

Topics

ai-agents ai-tutor clawdbot cli-tool deepresearch interactive-learning

+3 more

large-language-models multi-agent-systems llm

Affected surfaces

rce_ssrf auth rbac

ReleasePort's take

Moderate signal

editorial:auto 7d

The release disables the TutorBot shell exec tool by default and patches several critical remote‑code‑execution vulnerabilities.

Why it matters: Severity 95 security fixes patch RCE, path traversal, and authorization bypasses; admin opt‑in required for shell execution.

Summary

AI summary

Updates What's New, Upgrade Notes, and ver1-4-0.md across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Disables TutorBot shell exec tool by default, requiring admin opt‑in via allow_shell_exec. Disables TutorBot shell exec tool by default, requiring admin opt‑in via allow_shell_exec. Source: llm_adapter@2026-05-27 Confidence: high	—
Security	Critical	Adds per‑user isolation for book roots, session databases, turn‑runtime stores, and TutorBot directories. Adds per‑user isolation for book roots, session databases, turn‑runtime stores, and TutorBot directories. Source: llm_adapter@2026-05-27 Confidence: high	—
Security	Critical	Patches TutorBot RCE via the shell tool (issue #518). Patches TutorBot RCE via the shell tool (issue #518). Source: llm_adapter@2026-05-27 Confidence: high	—
Security	Critical	Patches path traversal vulnerability in the filesystem tool (issue #517). Patches path traversal vulnerability in the filesystem tool (issue #517). Source: llm_adapter@2026-05-27 Confidence: high	—
Security	Critical	Fixes cross‑bot file‑management authorization bypass (issue #516). Fixes cross‑bot file‑management authorization bypass (issue #516). Source: llm_adapter@2026-05-27 Confidence: high	—
Security	Critical	Fixes cross‑session turn‑regeneration authorization bypass (issue #515). Fixes cross‑session turn‑regeneration authorization bypass (issue #515). Source: llm_adapter@2026-05-27 Confidence: high	—
Security	Critical	Fixes book‑confirmation authorization bypass (issue #514). Fixes book‑confirmation authorization bypass (issue #514). Source: llm_adapter@2026-05-27 Confidence: high	—
Feature
Feature	Medium	Adds new HTTP API endpoints `POST /{bot_id}/chat` and `/chat/execute-stream` (SSE) for multi‑turn conversations with a specific TutorBot. Adds new HTTP API endpoints `POST /{bot_id}/chat` and `/chat/execute-stream` (SSE) for multi‑turn conversations with a specific TutorBot. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Adds GPT‑5 init‑wizard token parameter support. Adds GPT‑5 init‑wizard token parameter support. Source: granite4.1:30b@2026-05-27-audit Confidence: high	—
Feature	Low	Implements safe ZIP upload with member‑by‑member validation and guards against path escapes. Implements safe ZIP upload with member‑by‑member validation and guards against path escapes. Source: granite4.1:30b@2026-05-27-audit Confidence: high	—
Feature	Low	Introduces `/settings/network` page to configure ports, public API base, CORS origins, and fetch models from OpenAI‑compatible endpoints. Introduces `/settings/network` page to configure ports, public API base, CORS origins, and fetch models from OpenAI‑compatible endpoints. Source: granite4.1:30b@2026-05-27-audit Confidence: high	—
Bugfix
Bugfix	Medium	Fixes chat input being disabled after the first turn, a regression introduced in v1.4.0. Fixes chat input being disabled after the first turn, a regression introduced in v1.4.0. Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Medium	Fixes knowledge‑base embedding failure on long documents (issue #521). Fixes knowledge‑base embedding failure on long documents (issue #521). Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Medium	Prevents new users from failing to create a profile under Docker. Prevents new users from failing to create a profile under Docker. Source: granite4.1:30b@2026-05-27-audit Confidence: high	—
Bugfix	Low	Resolves Qwen reasoning models failing native tool calling (issue #527). Resolves Qwen reasoning models failing native tool calling (issue #527). Source: granite4.1:30b@2026-05-27-audit Confidence: high	—
Bugfix	Low	Fixes multimodal image fallback for providers lacking vision entry, retrying text‑only when needed. Fixes multimodal image fallback for providers lacking vision entry, retrying text‑only when needed. Source: granite4.1:30b@2026-05-27-audit Confidence: high	—

Full changelog

DeepTutor v1.4.1 Release Notes

Release Date: 2026.05.27

v1.4.1 is a security and stability patch on v1.4.0. It locks down
the TutorBot tool sandbox, isolates per-user resources, fixes a v1.4.0 chat
regression, adds an HTTP API for talking to a specific TutorBot, and ships a
multimodal image-fallback fix for providers DeepTutor has no vision entry for.

What's New

TutorBot Tool Sandbox Is Opt-In

The shell exec tool is no longer registered unless an admin sets
allow_shell_exec, and all filesystem + shell access is confined to the bot
workspace by default. Command deny-lists were re-anchored at command
boundaries, and allow_shell_exec can't be flipped on via the update payload.

Per-User Resource Isolation

Book roots, session databases, turn-runtime stores, and TutorBot directories
are scoped per user, and web/API conversations are keyed per session — so
cross-user requests can't reach each other's data.

HTTP / SSE API For A TutorBot

New POST /{bot_id}/chat and /chat/execute-stream (SSE) endpoints with
auto-start and persistent per-session context, for multi-turn conversations
with a specific bot from external clients.

Multimodal Image Fallback

Images are sent optimistically to every provider; if a request carrying images
fails and the model isn't in the known-vision allowlist, the turn retries
text-only. Fixes silently dropped images on Doubao / VolcEngine and other
multimodal models that lack a capability entry.

Safe ZIP Upload + Network Settings

.zip knowledge uploads expand member-by-member through the document validator
with size / count / compression-ratio bounds and path-escape guards; the
archive itself is never indexed. A new /settings/network page surfaces ports,
public API base, and CORS origins (normalized to tolerate host:port and
trailing slashes), plus a "fetch models" action listing model IDs from an
OpenAI-compatible endpoint.

Community Fixes & Changes

Security — closed TutorBot RCE via the shell tool (#518), path traversal in
the filesystem tool (#517), cross-bot file-management authz bypass (#516),
cross-session turn-regeneration authz bypass (#515), book-confirmation authz
bypass (#514), and ExecTool executing LLM shell commands over chat (#506,
first hardened in PR #507).

Bug fixes — chat input disabled after the first turn (v1.4.0 regression,
#520), knowledge-base embedding failure on long documents (#521 / PR #509),
new users unable to create a profile under Docker (#512 / PR #513), Qwen
reasoning models failing native tool calling (#527 / PR #528), and the GPT-5
init-wizard token parameter (PR #508).

Merged / reworked PRs — native tool calling for reasoning models (#528),
oversized session-event truncation (#524), empty-state profile button (#513),
chunking-pipeline fix (#509), GPT-5 probe (#508), ExecTool hardening (#507).
Contributions #522 (zip upload) and #523 (model fetching + notebook lookup)
were reimplemented locally and ship here.

Feature request — HTTP API for multi-turn chat with a specific TutorBot
(#511).

Upgrade Notes

Drop-in from v1.4.0: pip install -U deeptutor; Docker users pull
ghcr.io/hkuds/deeptutor:latest.
TutorBot shell exec is now disabled by default. If you relied on it, set
allow_shell_exec on the bot; tool access stays confined to the workspace.
For cross-site HTTPS auth, set explicit CORS origins and cookie_secure=true.

Full Changelog: https://github.com/HKUDS/DeepTutor/compare/v1.4.0...v1.4.1

Breaking Changes

TutorBot `exec` tool is disabled by default; admins must set `allow_shell_exec` to enable it.

Security Fixes

CVE-2026-XXXXX — closed TutorBot RCE via the shell tool (issue #518).
CVE-2026-XXXXY — fixed path traversal in filesystem tool (issue #517).
CVE-2026-XXXXZ — addressed cross‑bot file‑management authorization bypass (issue #516) and cross‑session turn‑regeneration bypass (issue #515) and book‑confirmation authz bypass (issue #514).
GHSA-xxxxx — prevented ExecTool from executing LLM shell commands over chat (issues #506, hardened in PR #507).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track DeepTutor

Get notified when new releases ship.

About DeepTutor

"DeepTutor: Agent-Native Personalized Learning Assistant"

All releases →

Related context

Related tools

Earlier breaking changes

v1.4.0-beta Deletes the legacy main.yaml capability copy; each capability now uses its own prompt files
v1.4.0-beta Removes legacy main.yaml capability copy in favor of per-capability prompt files
v1.4.0-beta Removes legacy agents/ and prompts/ directories for research, solve, question modes