Borg Backup Server

v2.55.5 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 7d Backup & Recovery

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

backup backup-manager borg-backup borgbackup borgbackup-gui borgbackup-web-ui

+2 more

self-hosted web-gui

Affected surfaces

auth breaking_upgrade

Summary

AI summary

New APIs expose repository and S3 credential details when include_secrets=1 and token capability controls access.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Logs each call with `include_secrets=1` on `/api/v1/repositories` for audit. Logs each call with `include_secrets=1` on `/api/v1/repositories` for audit. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature
Feature	Low	Adds `GET /api/v1/repositories` endpoint to list all repositories across clients. Adds `GET /api/v1/repositories` endpoint to list all repositories across clients. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Adds `GET /api/v1/s3-credentials` endpoint with optional secret inclusion. Adds `GET /api/v1/s3-credentials` endpoint with optional secret inclusion. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Introduces "Display Secrets" token capability for API tokens. Introduces "Display Secrets" token capability for API tokens. Source: llm_adapter@2026-05-27 Confidence: low	—
Feature	Low	Allows optional inclusion of decrypted passphrases via `?include_secrets=1` on `/api/v1/repositories`. Allows optional inclusion of decrypted passphrases via `?include_secrets=1` on `/api/v1/repositories`. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Feature	Low	Allows optional inclusion of S3 access/secret keys via `?include_secrets=1` on `/api/v1/s3-credentials`. Allows optional inclusion of S3 access/secret keys via `?include_secrets=1` on `/api/v1/s3-credentials`. Source: granite4.1:30b@2026-05-27-audit Confidence: low	—
Bugfix	Medium	Repository Repair no longer aborts with 'Cancelled by user' when missing stdin confirmation. Repository Repair no longer aborts with 'Cancelled by user' when missing stdin confirmation. Source: llm_adapter@2026-05-27 Confidence: high	—

Full changelog

Fixes

Repository Repair no longer aborts with 'Cancelled by user' (#295) — borg check --repair prompts for a literal 'YES' on stdin before running, and the server-side repair job wasn't supplying it. Now sets BORG_CHECK_I_KNOW_WHAT_I_AM_DOING=YES on both the local and remote-SSH borg paths.

New API

GET /api/v1/repositories — list every repository across every client in one response. Pass ?include_secrets=1 to also return the decrypted passphrase per repo (for escrow / disaster-recovery exports). Each call with include_secrets=1 is logged to server_log for audit (#289).
GET /api/v1/s3-credentials now follows the same pattern: returns endpoint / region / bucket / path_prefix by default; add ?include_secrets=1 to also get the access key and secret key.
Token capability: Display Secrets — Settings → API → Create Token has a new checkbox. Only tokens with the capability can pass ?include_secrets=1 on either endpoint; everything else gets HTTP 403. Existing tokens default to no-secrets, so this is a strictly additive permission.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Borg Backup Server

Get notified when new releases ship.

About Borg Backup Server

Centrally manage BorgBackup across endpoints

All releases →

Borg Backup Server

Summary

Changes in this release

Fixes

New API

Related context

Related tools