Skip to content

mkcertWeb

v4.0.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 17d Developer Productivity
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

authority certificate certificates development https linux
+6 more
localhost macos open-ssl root-ca tls windows

Affected surfaces

auth breaking_upgrade

Summary

AI summary

CVE-2026-12345 — remote code execution and credential leakage fixed; rotate secrets and re‑issue certificates after upgrade.

Full changelog

Release Notes — Version 4.0.0

Release Date: 2026-05-17
Type: Security Release (breaking)
Severity: High
Upgrade priority: Urgent

TL;DR — what you must do on upgrade

This is a security release that closes vulnerabilities exploitable from any
device on the same network the server is reachable from. There are also two
hard cleanup actions that prior versions made necessary:

  1. Rotate any credentials that were in .env on the machine that built or
    published older Docker images.     Until v4.0.0 there was no .dockerignore,
    so .env was copied into image layers and shipped to anyone who pulled
    the image. Anything in there should be assumed leaked. (Includes:
    AUTH_PASSWORD, SESSION_SECRET, SMTP_PASSWORD, OIDC_CLIENT_SECRET,
    NTFY_TOKEN, WEBHOOK_URL, etc.)
  2. Revoke and reissue any certificates chained from the baked-in CA that
    shipped in the public jeffcaldwellca/mkcertweb:<= 3.2.0 image. Every
    pulled image of older versions used the same rootCA-key.pem — anyone
    who pulled the image holds that key. After upgrading, generate a fresh
    per-container CA via the UI ("Generate Root CA" button) or
    POST /api/generate-ca, then re-install it into your trust stores.

If you cannot upgrade immediately and run with ENABLE_AUTH=false (the old
default), an attacker on the same LAN can rewrite credentials, repoint OIDC
to their IdP, exfiltrate stored SMTP credentials, and execute arbitrary
shell commands via the legacy /api/generate route. Either upgrade or
firewall the listening ports until you do.

Cleanup actions (don't skip)

  1. Rotate every secret that has ever been in .env on a machine that
    built/published older images. Anything in those env vars was embedded
    in image layers and pulled by every user of those tags. If you only ever
    ran the official image and never built your own, this doesn't apply.
  2. Re-issue any cert that chained from the baked-in CA. The private key
    of that CA is held by everyone who pulled :<= 3.2.0. After upgrade,
    the new per-container CA is yours alone.
  3. Tell any user who installed the old mkcert-rootCA.pem into their
    trust store to remove it     (and install the new one if they still use
    your service). The old CA is effectively a known-compromised root.
  4. Reset SESSION_SECRET. If you ever ran with the documented default
    value, an attacker who knows the value can forge sessions.

If you hit issues in any of these, please file an issue with the
v4.0.0 label.

Breaking Changes

  • Removal of baked‑in rootCA; users must generate a per‑container CA post‑upgrade (requires `POST /api/generate-ca` or UI button).
  • Deprecated default `ENABLE_AUTH=false`; now forced true for security.
  • Minimum Docker Engine version bumped to 20.10.0.

Security Fixes

  • CVE-2026-12345 — remote code execution via `/api/generate` and credential leakage from `.env` embedded in Docker images.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track mkcertWeb

Get notified when new releases ship.

Sign up free

About mkcertWeb

Web based user interface for mkcert CLI internal CA

All releases →

Related context

Beta — feedback welcome: [email protected]