multica

v0.3.6 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 12d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Affected surfaces

auth rbac

ReleasePort's take

Light signal

editorial:auto 12d

The deleteCloudRuntimeNode API now correctly uses instance_id in its request body.

Why it matters: Fixes a bug that previously caused runtime deletion failures; ensures reliable node removal for developers and SREs managing cloud runtimes.

Summary

AI summary

Issues, landing page, onboarding, agent context injection, and security hardening updates across multiple modules.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	scope DELETE/UpdateIssueStatus queries by workspace_id for defense‑in‑depth scope DELETE/UpdateIssueStatus queries by workspace_id for defense‑in‑depth Source: llm_adapter@2026-05-22 Confidence: high	—
Feature
Feature	Medium	add member(user_id, workspace_id) index and upgrade sqlc to v1.31.1 add member(user_id, workspace_id) index and upgrade sqlc to v1.31.1 Source: llm_adapter@2026-05-22 Confidence: high	—
Feature	Medium	add workspace‑level always_redact_env setting for privacy control add workspace‑level always_redact_env setting for privacy control Source: llm_adapter@2026-05-22 Confidence: high	—
Feature	Medium	collapse start date into overflow menu for issue creation flow collapse start date into overflow menu for issue creation flow Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	support macOS swipe navigation in desktop client support macOS swipe navigation in desktop client Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	add live agent activity chip, per‑issue indicator and filter UI add live agent activity chip, per‑issue indicator and filter UI Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	mention parent assignee in child‑done system comment for issues mention parent assignee in child‑done system comment for issues Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	notify platform‑owned parent issue when a child is marked done notify platform‑owned parent issue when a child is marked done Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	redesign board card layout and extract useTimeAgo i18n hook redesign board card layout and extract useTimeAgo i18n hook Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	add Contact Sales page with inquiry endpoint to landing site add Contact Sales page with inquiry endpoint to landing site Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	move Contact Sales link to hero area as text‑only element move Contact Sales link to hero area as text‑only element Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	upgrade welcome_page card to slide format and add Stay‑current rule in onboarding upgrade welcome_page card to slide format and add Stay‑current rule in onboarding Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	implement v3 onboarding with thin server and frontend‑orchestrated flow implement v3 onboarding with thin server and frontend‑orchestrated flow Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix
Bugfix	Medium	fix(api) use instance_id in deleteCloudRuntimeNode body fix(api) use instance_id in deleteCloudRuntimeNode body Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	inject Workspace Context into agent brief payload inject Workspace Context into agent brief payload Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	validate skill ID UUID at request boundary in handler validate skill ID UUID at request boundary in handler Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	use ForkLock helper to stabilize thinking tests flakiness use ForkLock helper to stabilize thinking tests flakiness Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	scroll to success card and simplify CTA on Contact Sales form scroll to success card and simplify CTA on Contact Sales form Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	force attachment disposition for SVG uploads to prevent injection force attachment disposition for SVG uploads to prevent injection Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	normalize MIME type in isInlineContentType check normalize MIME type in isInlineContentType check Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	guard delete operation for self‑healing local runtimes guard delete operation for self‑healing local runtimes Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	call API origin directly from Contact Sales form submission call API origin directly from Contact Sales form submission Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	strip leaked tool markup safely in pi component strip leaked tool markup safely in pi component Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	remove unused database exposed port from self‑hosted deployment remove unused database exposed port from self‑hosted deployment Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	internationalize desktop Updates tab UI strings internationalize desktop Updates tab UI strings Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	improve mobile skill readability by adjusting layout improve mobile skill readability by adjusting layout Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	warn squad leader against double‑triggering an agent warn squad leader against double‑triggering an agent Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	widen assignee picker and add text truncation in views component widen assignee picker and add text truncation in views component Source: llm_adapter@2026-05-22 Confidence: low	—
Other	Medium	add 2026‑05‑22 release notes documentation entry add 2026‑05‑22 release notes documentation entry Source: llm_adapter@2026-05-22 Confidence: low	—

Full changelog

Changelog

74f4d5a8fc066c97e1a3b60c235a809b8fa8f71e MUL-2510 fix(api): use instance_id in deleteCloudRuntimeNode body (#3009)
5bacfd974262514de7ae954372bead6bed72affe MUL-2526 feat: add member(user_id, workspace_id) index + upgrade sqlc to v1.31.1 (#3046)
0339599ff6068c3019238bd043a732f44b2592b3 docs(changelog): add 2026-05-22 release notes (#3082)
f2e6dc75bd642a6192aa5a1ee706f70dcecf1f76 feat(create-issue): collapse start date into ⋯ overflow menu (#3063)
ba9714a36492084e5f5a2c143a0f3ff2c24a0c9a feat(desktop): support macOS swipe navigation (#2997)
fedd0f16944bd8ebbb869bd2c8b4d4f3b98783d3 feat(issues): live agent activity chip + per-issue indicator + filter (#3058)
0bb51ccd0e4554d5cb4261f115d32b03f5d7c21d feat(issues): mention parent assignee in child-done system comment (MUL-2538) (#3065)
c967ae0e0efe03998143e83394a728b5f95af7c8 feat(issues): platform-owned parent notify on child done (MUL-2538) (#3055)
e0b756f51502c5a9439d6995f9b241a3dbe71ede feat(issues): redesign board card layout + extract useTimeAgo i18n hook (#3064)
7984606eedfdeeeda7eaeaebe84a2d45011c0915 feat(landing): add Contact Sales page and inquiry endpoint (MUL-2493) (#2988)
38ea02e60c1659d6e9007a321cb22ade6ada6da2 feat(landing): move Contact Sales to hero as text-only link (#3056)
d6fdd8d74e6a597718389bd629419a943269702f feat(onboarding): upgrade welcome_page card to slides + add Helper Stay-current rule (#3073)
fbd965e5bf776795f383def7cdb32aab1ddfc17c feat(onboarding): v3 — thin server, frontend-orchestrated welcome (#3008)
eefc6cebaa41e58177c7925cac5236c060e103f2 feat(server): add workspace-level always_redact_env setting (MUL-2495) (#2367)
a55c03a0b306ac192bff1638b8c71f66ba367987 fix(agent): inject Workspace Context into agent brief (MUL-2542) (#3078)
b9602adabe321349688670a4a1f6ac4c02d69b5a fix(handler): validate skill id UUID at request boundary (#3025)
bc056cf0eaff917f10be5a3d33eddc08e4d8cc43 fix(landing): call API origin directly from Contact Sales form (#3054)
f0a6738ed955d80c0d910477fd2ce6a896cda849 fix(landing): scroll to success card and simplify CTA on contact sales (#3057)
5bc77f2953d1c3589af4a8e3caf208d0a2707c78 fix(pi): strip leaked tool markup safely (#2956)
ed8f43867c31a7994d974c454f2b7f3fc7e5dca2 fix(runtimes): guard delete for self-healing local runtimes (#3076)
295df8d928fb8c54aa324b5d3809759aa5217e32 fix(security): force attachment disposition for SVG uploads (#3023)
424f67f7cb902cedfbf2d72ef9c0a85d3f6ec039 fix(security): normalize MIME type in isInlineContentType (#3050)
5d9293b8d0a49c98697f0ec964149be67048f89f fix(selfhost): remove unused db exposed port (#3040)
41788d2728f53e21eb964b14bd812524a8d00573 fix(settings): i18n the desktop Updates tab (MUL-2515) (#3014)
4ee5d5acdd193a54078dfc0bcd078733aedd96bc fix(skills): improve mobile skill readability (#2973)
46a29b1ebb1a6dd4d5407258d29d7c5ec6f2347e fix(squads): warn leader against double-triggering an agent (#3053)
a5582198ab6c030a74ab351344836009b27d75fe fix(views): widen assignee picker and add text truncation (#2947) (#3044)
1c91c2a3b2d25dff3bf9e31844c94831b3c20fb0 security(db): scope DELETE/UpdateIssueStatus by workspace_id (defense-in-depth) (#3027)
a6f19380b2c368e3cc0356fd93e7c1909c2a0f32 test(agent): use ForkLock helper to fix ETXTBSY flake in thinking tests (#3062)

Security Fixes

Normalize MIME type in isInlineContentType to prevent content‑type confusion
Force attachment disposition for SVG uploads to mitigate upload‑based attacks

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track multica

Get notified when new releases ship.

About multica

The open-source managed agents platform. Turn coding agents into real teammates — assign tasks, track progress, compound skills.

All releases →

Related context

Related tools

Earlier breaking changes

v0.3.8 Removes custom_env from agent resources, adds audited env endpoint (MUL-2600)