notifuse

v30.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 22d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

api email mailing-list newsletter self-hosted transactional

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Light signal

editorial:auto 13d

v30.1 patches CVE-2026-29181 in the OpenTelemetry Go dependency and changes SMTP authentication behavior when TLS is disabled. Review SMTP configuration in non-TLS deployments; the new behavior uses PLAIN-NOENC explicitly.

Why it matters: Patch OpenTelemetry dependency immediately for CVE-2026-29181. Review SMTP deployments using SMTP_USE_TLS=false—behavior now explicitly uses PLAIN-NOENC instead of auto-detection.

Summary

AI summary

Security fix for CVE-2026-29181 and breaking change in SMTP auth behavior with TLS disabled.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Bumped go.opentelemetry.io/otel to v1.41.0 in telemetry/go.mod (CVE-2026-29181) Bumped go.opentelemetry.io/otel to v1.41.0 in telemetry/go.mod (CVE-2026-29181) Source: llm_adapter@2026-05-21 Confidence: low	—
Breaking	Medium	SMTP auth with SMTP_USE_TLS=false now uses PLAIN-NOENC explicitly instead of auto-discover SMTP auth with SMTP_USE_TLS=false now uses PLAIN-NOENC explicitly instead of auto-discover Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

Security: Bumped go.opentelemetry.io/otel to v1.41.0 in telemetry/go.mod (CVE-2026-29181).
Deps: Bumped gomjml to v0.12.0.

Breaking Changes

SMTP auth with SMTP_USE_TLS=false: When TLS is explicitly disabled, the SMTP client now uses PLAIN-NOENC (go-mail's SMTPAuthPlainNoEnc) explicitly instead of SMTPAuthAutoDiscover. Previously, go-mail's auto-discover refused PLAIN/LOGIN over an unencrypted connection (only SCRAM-SHA-* and CRAM-MD5 were tried), and SMTPAuthPlain itself also refused unencrypted connections at the AUTH step. PLAIN-NOENC bypasses both gates while sending the standard AUTH PLAIN command on the wire, so any server that advertises AUTH PLAIN (e.g. local maddy/Mailpit relays) accepts it. Operators who have set SMTP_USE_TLS=false have already accepted plaintext credential transit, so forcing PLAIN aligns with their stated intent. Action: none if your relay accepts PLAIN. If your relay only accepts SCRAM/CRAM-MD5, you must enable TLS (SMTP_USE_TLS=true) — auto-discover continues to apply when TLS is on.

Breaking Changes

When `SMTP_USE_TLS=false`, SMTP client now uses `PLAIN-NOENC` auth instead of `SMTPAuthAutoDiscover`; servers that only accept `SCRAM`/`CRAM-MD5` require TLS to be enabled.

Security Fixes

CVE-2026-29181 — Bumped go.opentelemetry.io/otel to v1.41.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track notifuse

Get notified when new releases ship.

About notifuse

Notifuse is an open-source & modern emailing platform

All releases →

Related context

Related tools

Related CVEs

CVE-2026-29181 NVD KEV EPSS