Skip to content

pocketbase

v0.38.2 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 12d API Development
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

authentication backend go realtime

Affected surfaces

breaking_upgrade

ReleasePort's take

Light signal
editorial:auto 12d

PocketBase v0.38.2 adds a MaxTimeout field to RealtimeConnectRequestEvent and enhances realtime API security with extra IP checks, while fixing pagination reset on record updates.

Why it matters: Test the new MaxTimeout configuration in dev and enable the updated IP bruteforce protections; the pagination fix resolves unintended resets during updates.

Summary

AI summary

Prevent brute‑force guest subscription updates and stop resetting pagination on record updates.

Changes in this release

Feature Medium

Added RealtimeConnectRequestEvent.MaxTimeout field for max realtime connection duration.

Added RealtimeConnectRequestEvent.MaxTimeout field for max realtime connection duration.

Source: llm_adapter@2026-05-22

Confidence: high
Feature Medium

Added extra IP checks to realtime APIs for bruteforce protection.

Added extra IP checks to realtime APIs for bruteforce protection.

Source: llm_adapter@2026-05-22

Confidence: low
Dependency Medium

Updated golang.org/x/ packages to include recent security fixes.

Updated golang.org/x/ packages to include recent security fixes.

Source: llm_adapter@2026-05-22

Confidence: low
Bugfix Medium

Prevents records list pagination reset on record update.

Prevents records list pagination reset on record update.

Source: llm_adapter@2026-05-22

Confidence: high
Full changelog

To update the prebuilt executable you can run ./pocketbase update.

  • Added RealtimeConnectRequestEvent.MaxTimeout field to specify the absolute max duration a realtime connection can remain open (default to 30mins).
    This is in addition to the IdeTimeout of 5mins in order to prevent misuse and to allow the GC to run more regularly.

  • Added extra checks for the connected user IP in the realtime APIs to prevent bruteforce guest subscription update attempts and to serve as an extra protection for the "all-in-one" OAuth2 realtime handler.

  • Don't reset the records list pagination on record update (#7694).

  • Updated all golang.org/x/ packages to cover the recent security fixes (none of them should be a critical issue in PocketBase but nonetheless it is advised to update).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track pocketbase

Get notified when new releases ship.

Sign up free

About pocketbase

Open Source realtime backend in 1 file

All releases →

Related context

Beta — feedback welcome: [email protected]