PeerTube

v8.1.8 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 11d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

activitypub angular decentralized p2p video

Affected surfaces

auth rce_ssrf breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 11d

Version v8.1.8 of PeerTube removes the compromised peertube-plugin-google-analytics-js, invalidates existing OAuth tokens due to an exploited SQL injection flaw, and introduces a config option to disable root token usage.

Why it matters: The release patches an exploited SQL‑injection vulnerability that enabled unauthorized root token generation; operators must upgrade to v8.1.8 and invalidate prior tokens immediately.

Summary

AI summary

SQL injection vulnerability exploited; v8.1.8 removes malicious plugin, invalidates OAuth tokens, and adds config to disable root auth.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Invalidates all OAuth tokens, forcing users to log in again. Invalidates all OAuth tokens, forcing users to log in again. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Security	Medium	Removes peertube-plugin-google-analytics-js and invalidates OAuth tokens due to exploited SQL injection vulnerability. Removes peertube-plugin-google-analytics-js and invalidates OAuth tokens due to exploited SQL injection vulnerability. Source: llm_adapter@2026-05-23 Confidence: low	—
Feature	Medium	Adds `user.disable_root_auth` config key to disable root token usage. Adds `user.disable_root_auth` config key to disable root token usage. Source: llm_adapter@2026-05-23 Confidence: high	—
Bugfix	Medium	Addresses exploited SQL injection vulnerability that allowed root token generation and malicious plugin installation. Addresses exploited SQL injection vulnerability that allowed root token generation and malicious plugin installation. Source: llm_adapter@2026-05-23 Confidence: low	—
Refactor	Medium	Removes `peertube-plugin-google-analytics-js` from the plugin registry. Removes `peertube-plugin-google-analytics-js` from the plugin registry. Source: llm_adapter@2026-05-23 Confidence: low	—

Full changelog

IMPORTANT NOTES

We have learned that the SQL injection vulnerability fixed in v8.1.6 has been exploited at scale since at least May 18, 2026 and so before the v8.1.6 release.
According to our investigation, the attacker exploited this SQL injection to generate a token for the root user and install the peertube-plugin-google-analytics-js plugin. This plugin imports a client script from hxxps://www.googie-anaiytics.com/jquery.ui.js that currently only logs a line in the web browser.

Actions taken by this release:

Automatically remove peertube-plugin-google-analytics-js in v8.1.8
Invalidate OAuth tokens in v8.1.8 (all users must log in again)
Add a new user.disable_root_auth config key to disable root token usage
Remove the plugin from the plugin registry

Actions taken by Framasoft:

Report googie-anaiytics.com to the registrar
Send a contact-form message to public PeerTube instances
Release additional versions if we observe other attack vectors
A CVE is being requested for the SQL injection

Actions admins must take:

Upgrade to v8.1.8 as soon as possible
Review newly created users and videos
Review your instance configuration, especially Configuration -> Customization -> JavaScript/CSS
Review installed plugins
Generate new tokens for your runners

If you cannot upgrade to v8.1.8:

Remove actor follows that contain the 20.240.202.159 URL:

Find them: SELECT * FROM "actorFollow" WHERE "url" LIKE '%20.240.202.159%'
Delete them: DELETE FROM "actorFollow" WHERE "id" = ...

Remove actors that contain a ' character in inboxUrl:

Find them: SELECT * FROM "actor" WHERE "inboxUrl" LIKE '%''%'
Delete them: DELETE FROM "actor" WHERE "id" = ...

Invalidate OAuth tokens: UPDATE "oAuthToken" SET "accessTokenExpiresAt" = NOW(), "refreshTokenExpiresAt" = NOW() WHERE "accessTokenExpiresAt" > NOW() OR "refreshTokenExpiresAt" > NOW()
Remove peertube-plugin-google-analytics-js from instance plugins
Disable federation in production.yaml by setting federation.enabled to false
Restart PeerTube

Breaking Changes

Automatic removal of `peertube-plugin-google-analytics-js` from installations
Invalidation of all OAuth tokens requiring users to log in again
Addition of new config key `user.disable_root_auth` to disable root token usage

Security Fixes

CVE pending — SQL injection vulnerability exploited at scale; fixed in v8.1.6 and mitigated further in v8.1.8

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track PeerTube

Get notified when new releases ship.

About PeerTube

ActivityPub-federated video streaming platform using P2P directly in your web browser