Skip to content

libredesk

v2.3.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 5d Communication & Email
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

chat-widget conversation conversations customer-service customer-success customer-support
+11 more
customer-support-automation go helpdesk intercom live-chat livechat omnichannel self-hosted support ticketing-system vue

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal
editorial:auto 5d

Message lookups are now limited to the parent conversation scope.

Why it matters: Scope restriction prevents cross‑conversation data leakage; relevant for all integrations using the message lookup API.

Summary

AI summary

Broad release touches Upgrade notes, fix, deps, and What's new.

Changes in this release

Security High

Message lookups are now scoped to the parent conversation.

Message lookups are now scoped to the parent conversation.

Source: llm_adapter@2026-05-29

Confidence: high
Feature Medium

Adds bulk actions on conversations (assign, change status, set tags).

Adds bulk actions on conversations (assign, change status, set tags).

Source: llm_adapter@2026-05-29

Confidence: high
Feature Medium

Adds inline image support in the editor (paste, resize).

Adds inline image support in the editor (paste, resize).

Source: llm_adapter@2026-05-29

Confidence: high
Feature Medium

Shows inbox name in conversation sidebar.

Shows inbox name in conversation sidebar.

Source: llm_adapter@2026-05-29

Confidence: high
Feature Medium

Adds contact notes accordion section to conversation sidebar.

Adds contact notes accordion section to conversation sidebar.

Source: llm_adapter@2026-05-29

Confidence: high
Dependency Low

Bumps axios from 1.15.0 to 1.15.2 in the frontend.

Bumps axios from 1.15.0 to 1.15.2 in the frontend.

Source: llm_adapter@2026-05-29

Confidence: high
Performance Medium

WebSocket overhaul reduces CPU and memory per connection and improves reconnection syncing.

WebSocket overhaul reduces CPU and memory per connection and improves reconnection syncing.

Source: llm_adapter@2026-05-29

Confidence: high
Bugfix High

Encryption key rotation no longer causes fatal errors on boot.

Encryption key rotation no longer causes fatal errors on boot.

Source: llm_adapter@2026-05-29

Confidence: high
Bugfix Medium

Prevents auto-reply and CSAT from fanning out to the original CC list.

Prevents auto-reply and CSAT from fanning out to the original CC list.

Source: llm_adapter@2026-05-29

Confidence: high
Bugfix Medium

Search results now respect conversation read permissions and auto‑focus the search box.

Search results now respect conversation read permissions and auto‑focus the search box.

Source: llm_adapter@2026-05-29

Confidence: high
Full changelog

Libredesk v2.3.0

Bulk actions on conversations, a inline-image in editor, contact notes in the sidebar, and a stack of email rendering fixes.

What's new

  • Bulk actions on conversations - select multiple conversations to assign, change status, or set tags.
  • Inline images - paste images, resize them in the editor.
  • Image viewer - images no longer open in new tab instead they open in an image viewer / gallery.
  • Contact notes in conversation sidebar - view and add a contact's notes without leaving the conversation.
  • Cleaner message thread - long messages get an expand button to keep the chat short, and consecutive messages from the same sender are grouped.
  • Attachment previews - improved attachments preview.
  • Audio attachments - play audio files inline with a built-in popover player.
  • Inbox name in the conversation sidebar - see which inbox a conversation came in through.
  • Improved notification sound - plays only when the tab isn't focused, like WhatsApp.
  • Translations - added Portuguese (Brazil) (pt-BR) and Chinese (Simplified) (zh-CN) translations.
  • Live chat widget - Improved connection status banner to show more granular states such as Connecting, Connected, and Reconnecting.

What's fixed

  • Quoted text hidden correctly for Outlook, Gmail, and Yahoo replies.
  • Auto-reply and CSAT no longer fan out to the original CC list and instead only go to the sender.
  • Encryption key rotation no longer fatal on boot.
  • Security fix: message lookups are now scoped to the parent conversation.
  • WebSocket overhaul - lower CPU, memory usage per connection and improved syncing during a re-connection.
  • Search results now respect conversation read permissions, and the search box auto-focuses when opened.

And many quality of life fixes and improvements..

Upgrade notes

  • Always take a database backup before upgrading.
  • Follow the steps here.

Changelog

  • d36c43c9 ci: pin pnpm to 9.15.3 and bump release node to 20
  • d173688c Merge pull request #346 from abhinavxd/fix-invalid-utf-8
  • 1233f2fb fix: migrate livechat inbox lang codes to region format
  • c87c60b7 fix: drop contact email from incoming-message error log to keep PII out of logs
  • 870f66c2 fix: sanitize invalid UTF-8 in incoming email, fix widget scroll flicker
  • 4bfb90b3 Merge pull request #345 from abhinavxd/fix-mention-scroll
  • 67ecf3a3 fix: keep the mentioned message in view when long messages collapse
  • f331b3cd Merge pull request #342 from jleroy/i18n/update-2026-05-26
  • 1915094c Fix globals.terms.slaMetric key in ja-JP.json
  • 92ccdca3 Add security.md
  • c8a5717b fix: filter search results by conversation read permission Auto focus on search input Trim search responses to 200 chars as more's not needed.
  • a318b52b Update translations [2025-05-26]
  • 5594cce0 Merge pull request #341 from abhinavxd/widget-ws-improvements
  • 9159c26d fix: clean up widget ws state on close and announce banner to screen readers
  • bba99d45 fix: show typing indicator on scroll, hide view transition abort errors
  • 9480e98d Merge pull request #336 from abhinavxd/adhoc-patch-1
  • 5538c857 refactor and dedup code: share conversation read-permission check across authz and ws
  • 29881f2f fix: close ws stale-perm gaps and resub on reconnect
  • 74e2213e fix: auto-resub list when conv uuids change
  • c87266f5 Skip ws converstion broadcast when agent is disabled
  • ddc82d9a fix: extract text from malformed email HTML
  • 4f707797 Move pvt method below public
  • 743b00ee fix: address PR review across stores, ws broadcast, and sticky scroll
  • 5dfefabe fix: guard previous_conversations loop against nullish current
  • a0851bc7 fix: show typing indicator on scroll, hide view transition abort errors
  • 8faf06ed fix: reliably sync widget missed messages on reconnect Update connection status banner to show more intermediate connection statuses like connecting.. and connected.
  • b65d9679 fix: scroll to target message on scrollTo deep-link instead of bottom
  • 0654e3bd fix: skip empty incoming attachments; assign team/agent before running post message hooks this allows automations to see the conversations assigned agent & team.
  • f5814929 refactor: dedupe overview report fetch/handler boilerplate
  • 214cc603 fix: derive conversation list link context from route params, not name substring
  • eb4e49ad fix: gate mark-as-read by route, clear stale lastInboxPath on load
  • 9f09d8c5 fix: dedupe parallel custom-attribute fetch, cache AI prompts in store
  • cd8eb5ee perf: keep-alive inbox layout to skip refetch on admin round-trip
  • e5ffe113 Fix edge cases in auto scrolling behavior. Extract sticky scroller to a composable for main & widget apps.
  • 0a0500f2 refactor: fold widget availability broadcast into BroadcastAgentAvailability
  • 92fe4f45 tweak: scope conv list refresh interval to InboxView, bump to 2m
  • 2874e78e fix: mark-unread no-op when latest message is a continuity email
  • 4f7a23e2 Merge pull request #338 from abhinavxd/dependabot/npm_and_yarn/frontend/qs-6.15.2
  • bd215324 build(deps): bump qs from 6.14.2 to 6.15.2 in /frontend
  • ad089fc7 fix: hide conv list items while skeleton is visible
  • e4fae78c tweak: bump skeleton minVisibleMs 300 -> 500ms
  • 46d56800 fix: skeleton not showing on slow network - View Transition was freezing render
  • 183c83b5 fix: prod crash from private methods, plus PR #336 review fixes
  • a502039e perf: WS push for conv list, store/cache cleanups, ad-hoc UI polish
  • aa972d53 Merge pull request #334 from abhinavxd/dependabot/npm_and_yarn/frontend/yaml-2.9.0
  • 735f5da1 build(deps): bump yaml from 2.7.1 to 2.9.0 in /frontend
  • ba64f55d Merge pull request #333 from abhinavxd/perf-optimizations-2
  • ee4ddae4 fix: log team-member fetch errors during cache invalidation
  • edc82e9e refactor: drop Casbin, centralize agent cache invalidation, dedupe pending SLAs
  • 33572efa fix: address WS PR review - stale cache retry, livechat buffer, last_active TOCTOU
  • 7a8efcde fix: widget ping interval, last_active flush, ws ping error, slim new_message payload
  • 43ebed1c WS rewrite: per-client subscriptions and perf improvements
  • 68d63948 Merge pull request #332 from abhinavxd/fix-attch-download-for-s3
  • 2b6fd313 fix: S3 attachment URLs and missed conversation list updates
  • 68d1b811 fix: attachment download through backend for S3 stores
  • 35d5f1be Merge pull request #330 from abhinavxd/fix/yahoo-quoted-text
  • 9dfcb6bc fix: hide Gmail forward quoted text
  • c03477a0 fix: hide Yahoo Mail quoted text
  • 10b0d814 Merge pull request #329 from abhinavxd/feat-show-inbox-name
  • 1607997d feat: show inbox name in conversation sidebar
  • 6bc36983 Merge pull request #328 from abhinavxd/hotfix-media-empty-uuid-cast
  • 4e13e72c fix: harden media + conversation queries against empty-uuid casts
  • df1d5815 fix: show "1 selected" in conversation bulk action toolbar
  • 5f0fed69 fix: make CSAT template insert idempotent in v2.0.0 migration
  • a6c86282 Merge pull request #320 from csr4422/feat/contact-notes-conversation-sidebar
  • 15ca5696 fix: skip stale toasts and invalidate in-flight fetches on contact reset
  • 259b2abb fix: gate contact notes sidebar by read perm and add bottom padding to contact page
  • a59f40e1 fix: prevent out-of-order responses in contact notes fetch
  • fd215600 feat: limit contact notes to 10 with view more button
  • 860527ab fix: reduce spacing in contact notes component
  • 444530bd i18n: add contact notes key for conversation sidebar
  • b2a2fc32 fix: refetch notes on contact change in conversation sidebar
  • 82b419de feat: add contact notes accordion section to conversation sidebar
  • d96a37d3 Merge pull request #327 from abhinavxd/perf/conversation-store
  • b15c7761 update migration to version 2.3.0
  • 41ef3fed fix conversation list fetch races and scope notification sound to current list and only play when tab is not open like whatsapp. Remove unused fetch participants API. Fix incorrect default language in schema.sql Show correct draft preview when text editor only has
  • 4c63152c Rename migration file v2.2.2 to v2.3.0
  • bbc8e556 Merge pull request #318 from jleroy/bugfix/i18n-keys-2026-04-18
  • 63e28af4 Update en translation
  • 7cf476bf Fix some translations issues: - Rename activityLog.type* keys used in activity log filter to activityLog.entryType* for more clarity - Rename actions.sendPrivateNote key to actions.addPrivateNote as note aren't sent out - Fix automations rulebox template to use component interpolation instead of multiple separate strings - Fix some source translations
  • adeb76c9 shrink conversation list page size and slow down conversation list refresh and participant fetches
  • c85cb90b Merge pull request #317 from jleroy/i18n/update-2026-05-15
  • ac597c47 Update ROADMAP.md
  • bddca7e6 Update ROADMAP.md
  • 44186f7a Update pt-BR localization
  • 06d1c395 Migration (v2.2.2): Remove unused "fmt" import
  • a6f58159 Fix translations issues
  • fdf897cc Migration (v2.2.2): Use parameterized queries to prevent SQL injection patterns
  • d482267e Make browser language detection keep the full locale, including region code
  • 3c3c845d Crowdin: Fix source language filename
  • 06a9b0b1 Merge pull request #326 from abhinavxd/dependabot/npm_and_yarn/frontend/js-yaml-4.1.1
  • fc6a875b Merge pull request #325 from abhinavxd/dependabot/npm_and_yarn/frontend/glob-10.5.0
  • 48edf5a0 build(deps): bump js-yaml from 4.1.0 to 4.1.1 in /frontend
  • aac466a1 build(deps): bump glob from 10.4.5 to 10.5.0 in /frontend
  • abf6f430 Merge pull request #324 from abhinavxd/dependabot/npm_and_yarn/frontend/minimatch-9.0.9
  • c5980747 Merge pull request #323 from abhinavxd/dependabot/npm_and_yarn/frontend/flatted-3.4.2
  • 558f85ba build(deps): bump minimatch from 3.1.2 to 9.0.9 in /frontend
  • 923525c7 build(deps): bump flatted from 3.3.2 to 3.4.2 in /frontend
  • 7b1256a2 bump frontend deps and tighten image upload validation
  • f8262251 Remove description requirement from most admin forms Fixes #292
  • bae4c23b hide outlook/hotmail quoted text correctly and fix html email whitespace
  • e048ba57 improve conversation thread and inbox list ux
  • 66d8c358 fall back to image preview for inline-image-only messages
  • 8a824039 ship config.sample.toml in release archives instead of config.toml
  • b014d0d9 resolve inline image cids on send-message response, revert f841a81f
  • f841a81f skip cid rewrite for private notes
  • f5eb1d19 Merge pull request #310 from abhinavxd/fix/auto-reply-contact-only
  • b5000c7b skip auto-reply and csat send when contact has no email
  • f6a4ad53 fix auto-replies and csat fanning out to last message's cc list
  • c1f80d93 Fix: persist drafts with inline-only images Increase orphan media GC duration to 7 days as some drafts might need them
  • 41b5a7d7 Fix varible assignment
  • e78f6822 Fix missing import
  • e0f362c1 Migrate DB to the new locale format
  • 64ccdeae Set frontend default locales to "en-US"
  • b6dd5f08 Merge pull request #316 from abhinavxd/fix/key-rotation
  • 8283b4e9 Update languages codes to include regions names and set default language to "en-US"
  • 3e1c6471 Scope encryption_key rotation fix to boot path
  • 94107079 Merge pull request #315 from abhinavxd/fix/quoted-inline-dedup
  • da3bdb21 Update translations [2025-05-15] and add regions names in languages filenames
  • 0abd96fb Fix quoted image resolution
  • 7c949e65 Don't fatal on encryption_key rotation
  • 793c3d2f Fix quoted-reply inline images returning no signed URL
  • dbf4d3a0 Fix inline image media not linking on S3 presigned URLs Also simplify the inline-image helpers: one matcher plus stringutil.ExtractUUID, instead of two combined regexes with offset math.
  • 34703477 Throttle conversation list refresh and keep list on fetch errors
  • d1c346d0 Style toasts with theme instead of rich colors
  • 74dd2f93 Merge pull request #286 from mageaustralia/feat/bulk-actions
  • 4ca99b33 Centralize conversation tag updates in store
  • 123b809b Address review feedback on bulk actions
  • 863ac68f Add bulk actions on conversations (assign, status, priority)
  • 8ae98de4 Merge pull request #289 from mageaustralia/feat/image-attachment-ux
  • 475667e9 Render audio attachments as tiles with inline popover player
  • 534771e9 Save inline image cid refs instead of urls in DB to survive url expiry
  • 14b8ceba Remove obvious comments
  • 9c2483a7 Harden attachment paths: drop PDF iframe, noopener/noreferrer everywhere, rename components so they don't confuse me anymore.
  • 0be4a48b Generate thumbnails for extensionless images with magic byte detection
  • b72dad7c Swap lightbox to lib, force-download via query param, link inline media on insert
  • 878506b5 Sync i18n with English fallback, trim MessageBubble comments
  • 4ab1885e Harden inline image embed
  • 98e04e75 Tighten image attachment UX: composable, lightbox a11y, send gates, tests
  • ae521e07 Translate image toolbar labels, fix Best fit and Small
  • 35bdf020 Drop replaceCIDInContent, keep PR scoped to image resize UX
  • acda125a Refactor inline images PR for project conventions
  • b96a9c59 Inline images, lightbox, and attachment UX
  • f4074511 Merge pull request #309 from abhinavxd/dependabot/npm_and_yarn/frontend/postcss-8.5.10
  • 13c690ee build(deps-dev): bump postcss from 8.4.49 to 8.5.10 in /frontend
  • 338eaa0f Merge pull request #308 from abhinavxd/dependabot/npm_and_yarn/frontend/axios-1.15.2
  • 74189f84 reduce websocket message channel buffer size from 10000 to 256
  • ab05d6ab fix ws client leak when conn dies between ping writes
  • ac5941c6 Update ROADMAP.md
  • f1b81f4b build(deps): bump axios from 1.15.0 to 1.15.2 in /frontend
  • d821cca8 Update ROADMAP.md
  • e7362a93 Update ROADMAP.md

What's Changed (Auto generated)

  • build(deps): bump axios from 1.15.0 to 1.15.2 in /frontend by @dependabot[bot] in https://github.com/abhinavxd/libredesk/pull/308
  • build(deps-dev): bump postcss from 8.4.49 to 8.5.10 in /frontend by @dependabot[bot] in https://github.com/abhinavxd/libredesk/pull/309
  • Inline images, lightbox, and attachment UX by @mageaustralia in https://github.com/abhinavxd/libredesk/pull/289
  • Add bulk actions on conversations (assign, status, priority) by @mageaustralia in https://github.com/abhinavxd/libredesk/pull/286
  • Fix quoted reply inline images returning no signed URL by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/315
  • Don't fatal on encryption_key rotation by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/316
  • fix auto-replies and csat fanning out to last message's cc list by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/310
  • build(deps): bump flatted from 3.3.2 to 3.4.2 in /frontend by @dependabot[bot] in https://github.com/abhinavxd/libredesk/pull/323
  • build(deps): bump minimatch from 3.1.2 to 9.0.9 in /frontend by @dependabot[bot] in https://github.com/abhinavxd/libredesk/pull/324
  • build(deps): bump glob from 10.4.5 to 10.5.0 in /frontend by @dependabot[bot] in https://github.com/abhinavxd/libredesk/pull/325
  • build(deps): bump js-yaml from 4.1.0 to 4.1.1 in /frontend by @dependabot[bot] in https://github.com/abhinavxd/libredesk/pull/326
  • Update translations [2026-05-15] and add regions names in languages filenames by @jleroy in https://github.com/abhinavxd/libredesk/pull/317
  • Fix some minor translations-related issues by @jleroy in https://github.com/abhinavxd/libredesk/pull/318
  • Perf/conversation store by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/327
  • Add contact notes to conversation sidebar by @csr4422 in https://github.com/abhinavxd/libredesk/pull/320
  • fix: harden media + conversation queries against empty-uuid casts by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/328
  • feat: show inbox name in conversation sidebar by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/329
  • fix: hide Yahoo + Gmail forward quoted text. by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/330
  • fix: S3 attachment URLs and missed conversation list updates by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/332
  • WS rewrite: per-client subscriptions and perf improvements by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/333
  • build(deps): bump yaml from 2.7.1 to 2.9.0 in /frontend by @dependabot[bot] in https://github.com/abhinavxd/libredesk/pull/334
  • build(deps): bump qs from 6.14.2 to 6.15.2 in /frontend by @dependabot[bot] in https://github.com/abhinavxd/libredesk/pull/338
  • perf: WS push for conv list, store/cache cleanups, ad-hoc UI polish, adhoc fixes. by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/336
  • fix: reliably sync widget missed messages on reconnect by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/341
  • Update translations [2025-05-26] by @jleroy in https://github.com/abhinavxd/libredesk/pull/342
  • fix: keep the mentioned message in view when long messages collapse by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/345
  • fix: sanitize invalid UTF-8 in incoming email by @abhinavxd in https://github.com/abhinavxd/libredesk/pull/346

Full Changelog: https://github.com/abhinavxd/libredesk/compare/v2.2.1...v2.3.0

Security Fixes

  • Security fix: message lookups now scoped to the parent conversation
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track libredesk

Get notified when new releases ship.

Sign up free

About libredesk

Modern, open source, self-hosted customer support desk. Single binary app.

All releases →

Related context

Beta — feedback welcome: [email protected]