Skip to content

Zero-TOTP

v1.13.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 13d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

totp web zero-knowledge-encryption

Affected surfaces

auth breaking_upgrade deps

ReleasePort's take

Light signal
editorial:auto 12d

Version v1.13.1 of Zero‑TOTP includes a critical security patch and adds new transactional vault update flows along with a service‑oriented backend refactor.

Why it matters: Security patch applied; upgrade highly recommended to address the vulnerability immediately.

Summary

AI summary

Updates Chore, Fix, and API across a mixed release.

Changes in this release

Security High

Fixed vault integrity validation to reject missing or foreign UUIDs.

Fixed vault integrity validation to reject missing or foreign UUIDs.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Security Medium

Security patch applied; upgrade highly recommended.

Security patch applied; upgrade highly recommended.

Source: llm_adapter@2026-05-22

Confidence: high
Feature Medium

Added transactional vault/passphrase update flow with atomic SQLAlchemy commit/rollback handling.

Added transactional vault/passphrase update flow with atomic SQLAlchemy commit/rollback handling.

Source: llm_adapter@2026-05-22

Confidence: low
Feature Medium

Introduced new service-oriented backend architecture under `api/Services/`.

Introduced new service-oriented backend architecture under `api/Services/`.

Source: llm_adapter@2026-05-22

Confidence: low
Feature Low

Added `POST /encrypted_secrets` endpoint for batch encrypted secret imports.

Added `POST /encrypted_secrets` endpoint for batch encrypted secret imports.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Feature Low

Introduced frontend `TOTPEntry` interface and shared vault utilities.

Introduced frontend `TOTPEntry` interface and shared vault utilities.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Feature Low

Added new frontend helpers for vault retrieval, passphrase handling, URI parsing, and tag management.

Added new frontend helpers for vault retrieval, passphrase handling, URI parsing, and tag management.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Feature Low

Added circular TOTP refresh indicator and improved refresh timing behavior.

Added circular TOTP refresh indicator and improved refresh timing behavior.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Feature Low

Expanded API test coverage for vault updates, ownership validation, and batch uploads.

Expanded API test coverage for vault updates, ownership validation, and batch uploads.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Feature Low

Added `make codegen` helper for Playwright test generation.

Added `make codegen` helper for Playwright test generation.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Dependency Medium

Updated vulnerable dependencies: python-multipart → 0.0.27, Mako → 1.3.12, urllib3 → 2.7.0.

Updated vulnerable dependencies: python-multipart → 0.0.27, Mako → 1.3.12, urllib3 → 2.7.0.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Performance Medium

Fixed race conditions during vault reload and synchronization.

Fixed race conditions during vault reload and synchronization.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Performance Low

Improved in-memory vault state management and synchronization logic.

Improved in-memory vault state management and synchronization logic.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Performance Low

Fixed frontend rendering instability and reduced unnecessary reloads/layout shifts.

Fixed frontend rendering instability and reduced unnecessary reloads/layout shifts.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Deprecation Low

Removed obsolete `/vault/reload` route.

Removed obsolete `/vault/reload` route.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Bugfix Medium

Fixed partial vault update risks by enforcing fully transactional vault updates.

Fixed partial vault update risks by enforcing fully transactional vault updates.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Bugfix Medium

Fixed stale vault state issues after passphrase updates.

Fixed stale vault state issues after passphrase updates.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Bugfix Medium

Fixed Docker build failures caused by missing backend service directories.

Fixed Docker build failures caused by missing backend service directories.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Bugfix Low

Fixed TOTP generation issues occurring after vault updates.

Fixed TOTP generation issues occurring after vault updates.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Bugfix Low

Fixed inconsistent filtering/tag behavior in the frontend.

Fixed inconsistent filtering/tag behavior in the frontend.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Bugfix Low

Fixed promise chains where values were not properly returned.

Fixed promise chains where values were not properly returned.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Bugfix Low

Fixed TOTP timing calculation and interval handling issues.

Fixed TOTP timing calculation and interval handling issues.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Refactor Low

Updated OpenAPI/Swagger documentation for new endpoints and payload schemas.

Updated OpenAPI/Swagger documentation for new endpoints and payload schemas.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Refactor Low

Fixed OpenAPI schema inconsistencies and formatting issues.

Fixed OpenAPI schema inconsistencies and formatting issues.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Refactor Low

Refactored frontend vault loading and decryption logic.

Refactored frontend vault loading and decryption logic.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Refactor Low

Improved code modularization and separation of concerns across backend/frontend.

Improved code modularization and separation of concerns across backend/frontend.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Other Low

impact_scope

impact_scope

Source: llm_adapter@2026-05-22

Confidence: low
Full changelog

[!important]
This version brings security patch. Upgrade is highly recommended.

🐳 New Docker images

Update available upon the following tags : 1.13, 1.13.1 and latest.
Recommended tag :

  • API : ghcr.io/seaweedbraincy/zero-totp-api:1.13
  • Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.12

Exact tag :

  • API : ghcr.io/seaweedbraincy/zero-totp-api:1.13.1
  • Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.13.1

Latest tag:

  • API : ghcr.io/seaweedbraincy/zero-totp-api:latest
  • Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:latest

Features

  • Added transactional vault/passphrase update flow with atomic SQLAlchemy commit/rollback handling
  • Introduced new service-oriented backend architecture under api/Services/
  • Added POST /encrypted_secrets endpoint for batch encrypted secret imports
  • Added support for importing vaults through end-to-end tests
  • Introduced frontend TOTPEntry interface and shared vault utilities
  • Added new frontend helpers for vault retrieval, passphrase handling, URI parsing, and tag management
  • Improved in-memory vault state management and synchronization logic
  • Added circular TOTP refresh indicator and improved refresh timing behavior
  • Expanded API test coverage for vault updates, ownership validation, and batch uploads
  • Added make codegen helper for Playwright test generation
  • Updated OpenAPI/Swagger documentation for new endpoints and payload schemas

Fix

  • Fixed partial vault update risks by enforcing fully transactional vault updates
  • Fixed vault integrity validation to reject missing or foreign UUIDs
  • Fixed stale vault state issues after passphrase updates
  • Fixed race conditions during vault reload and synchronization
  • Fixed TOTP generation issues occurring after vault updates
  • Fixed inconsistent filtering/tag behavior in the frontend
  • Fixed promise chains where values were not properly returned
  • Fixed Docker build failures caused by missing backend service directories
  • Fixed frontend rendering instability and reduced unnecessary reloads/layout shifts
  • Fixed TOTP timing calculation and interval handling issues
  • Fixed OpenAPI schema inconsistencies and formatting issues

Chore

  • Migrated /update/vault logic out of legacy controllers.py
  • Added deprecation notice to legacy controller architecture
  • Refactored GitHub Actions workflows for improved maintainability and shell safety
  • Removed SonarQube integration and consolidated CI workflows
  • Updated vulnerable dependencies:
    • python-multipart0.0.27
    • Mako1.3.12
    • urllib32.7.0
  • Refactored frontend vault loading and decryption logic
  • Removed obsolete /vault/reload route
  • Improved code modularization and separation of concerns across backend/frontend
  • Updated existing tests to support new vault payload structure and validation rules

Breaking Changes

  • Removed /update/vault route

Security Fixes

  • Security patch – upgrade is highly recommended
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Zero-TOTP

Get notified when new releases ship.

Sign up free

About Zero-TOTP

Complete, reliable, secure and zero-trust webapp based on zero-knowledge encryption to store your TOTP codes.

All releases →

Related context

Beta — feedback welcome: [email protected]