Onyx Community Edition

v4.0.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 5d LLM Frameworks

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ai ai-chat chatgpt chatui enterprise-search gen-ai

+7 more

information-retrieval llm llm-ui nextjs python self-hosted vector-db

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 5d

Version v4.0.3 fixes a ReDoS vulnerability in the citation processor regex.

Why it matters: The fix addresses a high-severity (severity 90) regular‑expression denial‑of‑service issue affecting citation processing; operators should upgrade immediately.

Summary

AI summary

Fix eliminates a regular-expression denial‑of‑service vulnerability in the chat citation processor.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes ReDoS vulnerability in citation processor regex. Fixes ReDoS vulnerability in citation processor regex. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Medium	Adds Prometheus metrics for license seats and expiry. Adds Prometheus metrics for license seats and expiry. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Fixes LLM sampling parameter handling for Claude Opus 4.8. Fixes LLM sampling parameter handling for Claude Opus 4.8. Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

Warning

Do not upgrade to this release if you want to preserve your existing indexed documents but have not yet run the document index migration, which can be done from any version v3.x. See additional documentation here.

See the assets to download this version and install.

What's Changed

feat(ee): Prometheus metrics for license seats and expiry (#11495) to release v4.0 by @onyx-cherry-pick[bot] in https://github.com/onyx-dot-app/onyx/pull/11500
fix(llm): omit sampling params + use adaptive thinking for Claude Opus 4.8 (#11524) to release v4.0 by @onyx-cherry-pick[bot] in https://github.com/onyx-dot-app/onyx/pull/11528
fix(chat): eliminate ReDoS in citation processor partial-citation regex (#11527) to release v4.0 by @onyx-cherry-pick[bot] in https://github.com/onyx-dot-app/onyx/pull/11531

Full Changelog: https://github.com/onyx-dot-app/onyx/compare/v4.0.2...v4.0.3

Security Fixes

Fix eliminates ReDoS in citation processor partial‑citation regex (#11527)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Onyx Community Edition

Get notified when new releases ship.

About Onyx Community Edition

Chat UI that works with any LLM. It comes loaded with advanced features like agents, web search, RAG, MCP, deep research, Connectors to 40+ knowledge sources, and more.

All releases →

Related context

Related tools

Earlier breaking changes

v4.0.2 Requires running the OpenSearch document index migration before upgrading to v4.0.
v3.3.7 Environment variable DANSWER_RUNNING_IN_DOCKER renamed to ONYX_RUNNING_IN_DOCKER.
v3.0.13 OpenSearch enabled as default search backend replacing Vespa
v3.0.13 License enforcement enabled by default in EE mode