SoulSync

v2.6.9 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 3d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 3d

Version 2.6.9 enforces launch PIN server‑side and blocks saved secrets from reaching the browser client.

Why it matters: Security impact: severity scores 90 (PIN enforcement) and 85 (secret leakage prevention). Operators must upgrade immediately to block authentication bypasses and secret exposure.

Summary

AI summary

Launch PIN enforced server‑side and saved secrets no longer reach the browser.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Enforces launch PIN server-side preventing bypass of authentication gate. Enforces launch PIN server-side preventing bypass of authentication gate. Source: llm_adapter@2026-06-10 Confidence: high	—
Security	High	Prevents saved secrets (API keys, tokens, passwords) from reaching the browser client. Prevents saved secrets (API keys, tokens, passwords) from reaching the browser client. Source: llm_adapter@2026-06-10 Confidence: high	—
Feature
Feature	Medium	Revamps full watchlist live‑scan with a persistent per‑run history modal and improved UI elements. Revamps full watchlist live‑scan with a persistent per‑run history modal and improved UI elements. Source: llm_adapter@2026-06-10 Confidence: high	—
Feature	Medium	Provides detailed reasons why tracks were skipped during discography downloads and correctly credits collaboration tracks. Provides detailed reasons why tracks were skipped during discography downloads and correctly credits collaboration tracks. Source: llm_adapter@2026-06-10 Confidence: high	—
Feature	Medium	Writes full YYYY‑MM‑DD release dates to tags instead of only the year. Writes full YYYY‑MM‑DD release dates to tags instead of only the year. Source: llm_adapter@2026-06-10 Confidence: high	—
Feature	Low	Renames Spotify "free" to "Spotify (no auth)" and sets it as the default enrichment option with album search and budget→free bridge. Renames Spotify "free" to "Spotify (no auth)" and sets it as the default enrichment option with album search and budget→free bridge. Source: granite4.1:30b@2026-06-10-audit Confidence: low	—
Feature	Low	Applies multi-artist tags on search → download, resolving previous inconsistencies. Applies multi-artist tags on search → download, resolving previous inconsistencies. Source: granite4.1:30b@2026-06-10-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fixes delete operation for tracks containing curly apostrophes (U+2019) by normalizing quote characters. Fixes delete operation for tracks containing curly apostrophes (U+2019) by normalizing quote characters. Source: llm_adapter@2026-06-10 Confidence: high	—
Bugfix	Medium	Reuses existing folder for album downloads instead of creating a duplicate one. Reuses existing folder for album downloads instead of creating a duplicate one. Source: llm_adapter@2026-06-10 Confidence: high	—
Bugfix	Medium	Prevents dead‑file cleaner from flagging an entire library when file paths are merely unreachable. Prevents dead‑file cleaner from flagging an entire library when file paths are merely unreachable. Source: llm_adapter@2026-06-10 Confidence: high	—
Bugfix	Medium	Stops settings tab from flooding app.log with excessive log output. Stops settings tab from flooding app.log with excessive log output. Source: llm_adapter@2026-06-10 Confidence: high	—
Bugfix	Medium	Prevents owned tracks from re‑appearing in the wishlist after ownership verification. Prevents owned tracks from re‑appearing in the wishlist after ownership verification. Source: llm_adapter@2026-06-10 Confidence: high	—
Bugfix	Low	Honors configured sync mode and stops re‑adding every track during append sync. Honors configured sync mode and stops re‑adding every track during append sync. Source: granite4.1:30b@2026-06-10-audit Confidence: low	—
Bugfix	Low	Treats decimal-volume albums (e.g., vol 4 vs vol 4.5) as distinct, avoiding duplicate detection. Treats decimal-volume albums (e.g., vol 4 vs vol 4.5) as distinct, avoiding duplicate detection. Source: granite4.1:30b@2026-06-10-audit Confidence: low	—

Full changelog

2.6.9

mostly a security release on top of a week of issue fixes.

security (the headline)

launch PIN is enforced server-side now (#832) — it was only enforced in the browser, so it could be bypassed; matters most if you expose soulsync publicly. now a real server-side gate — unverified sessions can't reach anything but the unlock flow.
saved secrets stop reaching the browser — the settings page was loading your stored api keys, tokens, and passwords into the client. now masked before they leave the server; saving an untouched form keeps the real value.

fixes

#833 delete works on tracks with curly apostrophes again — db stored U+2019, disk had U+0027, so it deleted the row but left the file. resolution now folds typographic look-alikes (curly vs straight quotes, dashes) to find the real file. fixes existing files, no re-import.
#831 full watchlist live-scan revamp — bespoke live deck (big portrait, progress bar, found/added feed, zero layout shift) + a persistent per-run scan history modal.
#830 discography downloads explain why tracks were skipped instead of a flat "no new tracks", and credit collab tracks right.
#829 album downloads reuse the existing folder instead of splitting into a second one.
#828 dead file cleaner stops flagging a whole library when the paths are just unreachable.
#827 settings stop flooding app.log from the logs tab.
#825 owned tracks stop coming back to the wishlist (manual-add ownership check + matcher no longer reads a bracketed subtitle as a different song).
#824 full yyyy-mm-dd release dates written to tags instead of just the year.
#823 append sync stops re-adding every track + honors your configured sync mode.
#740 wishlist album bundles no longer jam the shared download pool (sokhi).
spotify "free" → renamed "spotify (no auth)", now the enrichment default, with album search + a working budget→free bridge.
multi-artist tags finally apply on search → download now (netti93).
decimal-volume albums (vol 4 vs vol 4.5) no longer treated as duplicates.

notes

version bumped to 2.6.9 (web_server + docker-publish default), what's new modal updated.
every fix landed with seam-level + regression tests; suite green (one pre-existing soundcloud mock failure, unrelated).

full list in the what's new modal.

Security Fixes

Launch PIN enforcement moved server‑side (#832)
Saved secrets masked before sending to the browser

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track SoulSync

Get notified when new releases ship.

About SoulSync

Automated Music Discovery and Collection Manager

All releases →