openrundev/openrun](https:

v0.17.5 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 6d Containers & Orchestration

✓ No known CVEs patched

This release patches 2 known CVEs

Topics

appserver containers deployment devops-tools docker go

+7 more

htmx internal-tools kubernetes kubernetes-deployment low-code-platform self-hosted starlark

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 6d

The release hardens Host header checks for HTTP and WebSocket connections to prevent abuse.

Why it matters: Security: Harden Host header checks (severity 90) mitigates potential request‑header abuse across HTTP and WebSocket surfaces.

AI summary

Updates @akclace, f5d356a90df6b52df322f75efa085942f2465ab5, and b5492466fc7c9786a72295de70bb645c82dfabe2 across a mixed release.

Type	Severity	Summary	CVE
Security	Critical	Harden Host header checks to prevent abuse Harden Host header checks to prevent abuse Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Add mysql service binding support Add mysql service binding support Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Initial support for declarative install of bindings Initial support for declarative install of bindings Source: llm_adapter@2026-05-28 Confidence: high	—
Dependency	Low	Upgrade golang.org/x/net package Upgrade golang.org/x/net package Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix
Bugfix	Medium	Fix websocket Host header handling Fix websocket Host header handling Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fix postgres binding address for tests Fix postgres binding address for tests Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Low	Pass binding account info through env values to container Pass binding account info through env values to container Source: llm_adapter@2026-05-28 Confidence: high	—

Full changelog

f5d356a90df6b52df322f75efa085942f2465ab5: Harden Host header checks to prevent abuse (@akclace)
7d22b47285a4426ba655d1f4bde8c15758cf0074: Add mysql service binding (@akclace)
0873971b925fd05e3aa1aa40b84b2e1cb5fb9751: Added rewrite for Location header (@akclace)
52df07850417165d31bfd40ca67e8bfd639d00d3: Added tests for postgres container started with postgres binding (@akclace)
b5492466fc7c9786a72295de70bb645c82dfabe2: Fix postgres binding address for tests (@akclace)
ae12042a532f3ca95b2c6bfa0a6d6bd79269b4f7: Fix postgres binding address for tests (@akclace)
f9fc6d1c7cc8bf703a805911c6a5f24d0ef352fa: Fix postgres binding address for tests (@akclace)
33f785190793eb859e52e276e99d084dd3e090d4: Fix test failure (@akclace)
c43125937210f25be902ef2d4bbd18829ed7aa1d: Fix websocket Host header (@akclace)
1781f64a86a253beb1b6ae4951dbedbdc03eed51: Initial support for declarative install of bindings (@akclace)
4bdb9e1fafbdc6135fe6889e8edb2d7a10b73492: Pass binding account info through env values to container (@akclace)
98c7f66c8205bcf162a4c2d49b10381a4275f83b: Update changelog (@akclace)
5a35a0a39726ab4b15b2ac847cd91e7c2bac5b12: Upgrade golang.org/x/net package (@akclace)

Harden Host header checks to prevent abuse (commit f5d356a90df6b52df322f75efa085942f2465ab5)
Fix websocket Host header (commit c43125937210f25be902ef2d4bbd18829ed7aa1d)

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track openrundev/openrun](https:

Get notified when new releases ship.

About openrundev/openrun](https: