mealie

v3.18.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 14d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

meal-plans recipe-manager self-hosted

Affected surfaces

auth rbac

Summary

AI summary

Broad release touches 🐛 Bug fixes, fix, 🧰 Maintenance, and ⬆️ Dependency updates.

Changes in this release

Type	Severity	Summary	CVE
Feature	Medium	Improve new shopping list UI Improve new shopping list UI Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Remember screen lock preference Remember screen lock preference Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Dependency
Dependency	Medium	Update mypy dependency to v2 Update mypy dependency to v2 Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Dependency	Medium	Update types-requests dependency to v2.33.0.20260503 Update types-requests dependency to v2.33.0.20260503 Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Dependency	Medium	Upgrade Node.js to version 34f0eb9 Upgrade Node.js to version 34f0eb9 Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Dependency	Medium	Upgrade Node.js to version 050bf2b Upgrade Node.js to version 050bf2b Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Dependency	Medium	Update authlib dependency to v1.7.1 Update authlib dependency to v1.7.1 Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Dependency	Medium	Update openai dependency to v2.34.0 Update openai dependency to v2.34.0 Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix
Bugfix	Medium	Fix Query Filter Builder "Advanced" bug Fix Query Filter Builder "Advanced" bug Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Make PWA share target functional on Android Chrome Make PWA share target functional on Android Chrome Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Redirect to login and validate input on password reset flow Redirect to login and validate input on password reset flow Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Update backend normalization to match search normalization logic Update backend normalization to match search normalization logic Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Update OpenAI recipe parse prompt to return same number of ingredients as given Update OpenAI recipe parse prompt to return same number of ingredients as given Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Redirect to new slug URL after recipe rename Redirect to new slug URL after recipe rename Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Prevent double-scaling of sub-recipe ingredients in shopping list Prevent double-scaling of sub-recipe ingredients in shopping list Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Stop infinite API request loop on empty stores Stop infinite API request loop on empty stores Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Downgrade OIDC missing-claims log from ERROR to DEBUG Downgrade OIDC missing-claims log from ERROR to DEBUG Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Use locale for Recipe Created timeline event Use locale for Recipe Created timeline event Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Block scriptable asset extensions and force Content-Disposition: attachment Block scriptable asset extensions and force Content-Disposition: attachment Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Enforce ownership check on recipe deletion Enforce ownership check on recipe deletion Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Other	Medium	New Crowdin updates for localization New Crowdin updates for localization Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Other	Medium	Crowdin locale sync automation Crowdin locale sync automation Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—

Full changelog

🍴🍴🍴🍴🍴🍴

✨ New features

feat: Improve new shopping list UI @michael-genson (#7600)
feat: Remember screen lock preference @michael-genson (#7609)

🐛 Bug fixes

fix: Query Filter Builder "Advanced" bug @michael-genson (#7599)
fix: make PWA share target functional on Android Chrome @zdenek-stursa (#7468)
fix: redirect to login and validate input on password reset flow @zdenek-stursa (#7521)
fix: Update backend normalization to match search normalization logic @michael-genson (#7603)
fix: Update OpenAI recipe parse prompt to return the same number of ingredients as given @michael-genson (#7604)
fix: redirect to new slug URL after recipe rename @zdenek-stursa (#7522)
fix: prevent double-scaling of sub-recipe ingredients in shopping list @zdenek-stursa (#7537)
fix: Infinite API request loop on empty stores @michael-genson (#7613)
fix: downgrade OIDC missing-claims log from ERROR to DEBUG (#6801) @hay-kot (#7620)
fix: use locale for Recipe Created timeline event (#4497) @hay-kot (#7623)
fix: block scriptable asset extensions and force Content-Disposition: attachment (GHSA-gfwc-pjx4-mg9p) @hay-kot (#7626)
fix: enforce ownership check on recipe deletion (GHSA-x5v9-9jvh-7c7q) @hay-kot (#7625)

🧰 Maintenance

8 changes

chore(l10n): New Crowdin updates @hay-kot (#7571)
chore(l10n): Crowdin locale sync @mealie-actions[bot] (#7595)
chore(l10n): New Crowdin updates @hay-kot (#7589)
chore(l10n): New Crowdin updates @hay-kot (#7605)
chore(l10n): New Crowdin updates @hay-kot (#7608)
chore: update SECURITY.md for GitHub private vulnerability reporting @hay-kot (#7612)
chore(l10n): Crowdin locale sync @mealie-actions[bot] (#7637)
chore(l10n): New Crowdin updates @hay-kot (#7617)

⬆️ Dependency updates

7 changes

chore(deps): update dependency mypy to v2 @renovate[bot] (#7584)
chore(deps): update dependency types-requests to v2.33.0.20260503 @renovate[bot] (#7587)
chore(deps): update node.js to 34f0eb9 @renovate[bot] (#7590)
chore(deps): update node.js to 050bf2b @renovate[bot] (#7592)
fix(deps): update dependency authlib to v1.7.1 @renovate[bot] (#7593)
fix(deps): update dependency openai to v2.34.0 @renovate[bot] (#7594)
fix(deps): update dependency authlib to v1.7.2 @renovate[bot] (#7606)

🍴🍴🍴🍴🍴🍴

Security Fixes

block scriptable asset extensions and force Content-Disposition: attachment (GHSA-gfwc-pjx4-mg9p)
enforce ownership check on recipe deletion (GHSA-x5v9-9jvh-7c7q)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track mealie

Get notified when new releases ship.

About mealie

Mealie is a self hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in Vue for a pleasant user experience for the whole family. Easily add recipes into your database by providing the url and mealie will automatically import the relevant data or add a family recipe with the UI editor

All releases →

mealie

Summary

Changes in this release

🍴🍴🍴🍴🍴🍴

✨ New features

🐛 Bug fixes

🧰 Maintenance

⬆️ Dependency updates

🍴🍴🍴🍴🍴🍴

Security Fixes

Related context

Related tools