Skip to content

penpot

v2.15.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 22d Developer Productivity
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

clojure clojurescript design prototyping ui ux-design
+1 more
ux-experience

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal
editorial:auto 13d

The MCP ReplServer was incorrectly bound to all network interfaces, enabling unauthenticated remote code execution.

Why it matters: Patch Penpot 2.15.0 immediately; the vulnerability permits RCE without authentication and affects any deployment exposing the server.

Summary

AI summary

Fix MCP ReplServer binding to all interfaces, allowing unauthenticated RCE.

Changes in this release

Security Medium

Add security headers to Nginx on Docker images

Add security headers to Nginx on Docker images

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Fix MCP ReplServer binding to all interfaces, allowing unauthenticated RCE

Fix MCP ReplServer binding to all interfaces, allowing unauthenticated RCE

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Add MCP server integration

Add MCP server integration

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Add chunked upload API for large media and binary files

Add chunked upload API for large media and binary files

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Enhance readability of applied tokens in plugins API

Enhance readability of applied tokens in plugins API

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Add anonymous telemetry event collection

Add anonymous telemetry event collection

Source: llm_adapter@2026-05-21

Confidence: low
Performance Medium

Improve MCP server logging, adding Loki support

Improve MCP server logging, adding Loki support

Source: llm_adapter@2026-05-21

Confidence: high
Performance Medium

Reduce memory usage of MCP server when handling images

Reduce memory usage of MCP server when handling images

Source: llm_adapter@2026-05-21

Confidence: high
Performance Medium

Fix keep-alive interval leak in PluginBridge

Fix keep-alive interval leak in PluginBridge

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fix text edition mode not exited when changing selection, blocking token application

Fix text edition mode not exited when changing selection, blocking token application

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fix Plugin API token methods rejecting JS array of strings

Fix Plugin API token methods rejecting JS array of strings

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fix maximum call stack size exceeded in SSE read-stream

Fix maximum call stack size exceeded in SSE read-stream

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fix incorrect handling of version restore operation

Fix incorrect handling of version restore operation

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fix multiple selection on shapes with token applied to stroke color

Fix multiple selection on shapes with token applied to stroke color

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fix release notes modal appearing behind the dashboard sidebar

Fix release notes modal appearing behind the dashboard sidebar

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Fix empty warning on login

Fix empty warning on login

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Fix MCP integrations URL copy action to match the URL displayed in settings

Fix MCP integrations URL copy action to match the URL displayed in settings

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Fix swapped analytics event names on MCP tab-switch dialog

Fix swapped analytics event names on MCP tab-switch dialog

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Fix onboarding modals appearing behind libraries and templates panel

Fix onboarding modals appearing behind libraries and templates panel

Source: llm_adapter@2026-05-21

Confidence: low
Refactor Medium

Improve team name validation

Improve team name validation

Source: llm_adapter@2026-05-21

Confidence: high
Refactor Medium

Encourage use of flex/grid layouts in designs generated via MCP

Encourage use of flex/grid layouts in designs generated via MCP

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

:sparkles: New features & Enhancements

  • Add MCP server integration Github #9174
  • Add chunked upload API for large media and binary files (removes previous upload size limits) Github #9516
  • Add anonymous telemetry event collection Github #9467
  • Improve team name validation Github #9517
  • Enhance readability of applied tokens in plugins API Github #9175
  • Encourage use of flex/grid layouts in designs generated via MCP Github #9081
  • Improve MCP server logging, adding Loki support Github #9415
  • Add security headers to Nginx on Docker images Github #9519

:bug: Bugs fixed

  • Fix text edition mode not exited when changing selection, blocking token application Github #9346
  • Reduce memory usage of MCP server when handling images (by @opcode81) Github #9420
  • Fix Plugin API token methods rejecting JS array of strings (by @boskodev790) Github #9162
  • Fix release notes modal appearing behind the dashboard sidebar (by @RenzoMXD) Github #8296
  • Fix empty warning on login Github #9520
  • Fix maximum call stack size exceeded in SSE read-stream Github #9470
  • Fix incorrect handling of version restore operation Github #9515
  • Fix MCP ReplServer binding to all interfaces (0.0.0.0) instead of localhost, allowing unauthenticated RCE Github #9518
  • Fix MCP integrations URL copy action to match the URL displayed in settings Github #9238
  • Fix swapped analytics event names on MCP tab-switch dialog (by @Dexterity104) Github #9496
  • Fix multiple selection on shapes with token applied to stroke color Github #9522
  • Fix onboarding modals appearing behind libraries and templates panel Github #9521
  • Fix keep-alive interval leak in PluginBridge (by @opcode81) Github #9430

Security Fixes

  • Fix MCP ReplServer binding to all interfaces (0.0.0.0) instead of localhost, preventing unauthenticated RCE (issue #9518)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track penpot

Get notified when new releases ship.

Sign up free

About penpot

Penpot: The open-source design tool for design and code collaboration

All releases →

Related context

Beta — feedback welcome: [email protected]