This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
Affected surfaces
ReleasePort's take
Moderate signalMealie v3.19.0 adds inβapp management of multiple AI providers and enforces the organize-group-data permission on food/tag/category mutations.
Why it matters: Enforcing organizeβgroupβdata permission mitigates unauthorized data changes; managing multiple AI providers expands workflow flexibility for developers and SREs.
Summary
AI summaryUpdates π§° Maintenance, l10n, and π Bug fixes across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Protect sensitive data in query filter API (GHSA-8m57-7cv5-rjp8) Protect sensitive data in query filter API (GHSA-8m57-7cv5-rjp8) Source: llm_adapter@2026-05-24 Confidence: low |
β |
| Feature | Medium |
Adds in-app management of multiple AI providers for different tasks Adds in-app management of multiple AI providers for different tasks Source: llm_adapter@2026-05-24 Confidence: high |
β |
| Bugfix | Medium |
Enforces organize-group-data permission on food/tag/category mutations Enforces organize-group-data permission on food/tag/category mutations Source: llm_adapter@2026-05-24 Confidence: high |
β |
| Bugfix | Medium |
Fixes inconsistent translation between "from an image" and "from images" Fixes inconsistent translation between "from an image" and "from images" Source: llm_adapter@2026-05-24 Confidence: low |
β |
| Bugfix | Medium |
Prevents simultaneous swiping and scrolling on shopping list UI Prevents simultaneous swiping and scrolling on shopping list UI Source: llm_adapter@2026-05-24 Confidence: low |
β |
Full changelog
π΄π΄π΄π΄π΄π΄
βββThis release contains important security fixes in the query filter API. For more information, see: #7629
π Highlights
This release adds more flexible, in-app management of AI providers. You can now add multiple AI providers for different tasks (e.g. one provider for general use, and one provider for importing recipes from videos). These providers can be mixed between completely unrelated services (e.g. OpenAI, Azure, locally-hosted via Ollama, etc.).
Existing settings configured via environment variables (e.g. OPENAI_API_KEY) will automatically be imported one time upon upgrading your instance. For more information, check out the PR or the in-app announcement!
β¨ New features
- feat: In-app AI Provider Configuration @michael-genson (#7650)
π Bug fixes
- fix: Inconsistent "from an image" vs "from images" translation @michael-genson (#7642)
- fix: Protect sensitive data in query filter API (GHSA-8m57-7cv5-rjp8) @michael-genson (#7629)
- fix: enforce organize-group-data permission on food/tag/category mutations @hay-kot (#7651)
- fix: Prevent swiping AND scrolling on shopping list @michael-genson (#7659)
π§° Maintenance
6 changes- chore(l10n): New Crowdin updates @hay-kot (#7643)
- chore(l10n): New Crowdin updates @hay-kot (#7646)
- chore(l10n): New Crowdin updates @hay-kot (#7649)
- chore(l10n): New Crowdin updates @hay-kot (#7652)
- chore(l10n): Crowdin locale sync @mealie-actions[bot] (#7655)
- chore(l10n): New Crowdin updates @hay-kot (#7653)
π΄π΄π΄π΄π΄π΄
Security Fixes
- GHSA-8m57-7cv5-rjp8 β Protects sensitive data in query filter API
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About mealie
Mealie is a self hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in Vue for a pleasant user experience for the whole family. Easily add recipes into your database by providing the url and mealie will automatically import the relevant data or add a family recipe with the UI editor
Beta — feedback welcome: [email protected]