server

⭐ Highlights

• Integrated Markdown editor: visual/source Markdown editing with tables, task lists, images, code blocks, file locking and unsaved-change protection
• Unified editor search: shared search UI for text and Markdown editors, with result count and previous/next navigation
• Configurable document creation: administrators can show or hide OpenDocument and Microsoft Office templates
• Optional trash retention: automatic cleanup can now be configured separately for user spaces and collaborative spaces
• Improved content indexing: more memory-efficient full-text indexing, batched metadata processing and safer cleanup
• OIDC/LDAP synchronization extended: OIDC avatar synchronization and storage quota synchronization through LDAP attributes or OIDC claims
• User visibility controls: users without a group can now be hidden from global visibility with showUngroupedUsers: false
• Text and Markdown editing improvements: better text file detection and increased edit size limit from 10 MB to 25 MB

🐞 Bug Fixes

• Guest link temporary paths: temporary paths for accounts associated with guest links are now created correctly
• File storage consistency: stronger uniqueness checks prevent rare duplicate file storage cases (@zjean)
• More reliable file unlocking: editable file locks are now released more reliably when editors or the browser are closed
• MIME type updates: MIME types are now recalculated after file rename, move or replacement
• Disabled space trash handling: trash for disabled spaces is now shown as disabled and can no longer be browsed
• Improved file selection: range selection works more reliably with filtering enabled
• Safer renaming: renaming now selects only the file name, without the extension
• Web interface polish: sidebar submenu visibility, table row height, dialog spacing and viewer tooltips were refined

⚠️ Security

• Trash immutability for spaces
  Files in the trash are now treated as read-only items. Modifying files in the trash and creating new files there are now blocked.

• More reliable uploads
  Failed uploads are no longer kept in the destination space. File replacements now use temporary files before replacing the destination.

• Better guest link isolation
  Accounts created from guest links now have restricted visibility over users and groups, limited to their managers and personal groups.

• Fixed a security vulnerability: CVE-2026-47684
  SSRF protection for URL downloads has been strengthened, notably against IPv4-mapped IPv6 bypasses, DNS rebinding, unsafe redirects, proxy bypasses and oversized data streams.
  Reported by @x0root

Contributors: @Stephan-P, @7185, @q16marvin, @zjean, @fyr77, @TheLouD1, @markussbk, @Maxmystere, @romainsady

➡️ Read the release announcement

Features

• backend:auth: allow trusted private IPs for OIDC avatar downloads (9c9b682)
• backend:auth: harden OIDC avatar sync and add avatar metadata tracking (22ac4f0)
• backend:auth: map configurable OIDC/LDAP storage quota to user profile (76b4b8c)
• backend:files: enable HTML-to-text conversion for all base elements (6352393)
• backend:files: optimize content indexing memory usage with batched metadata, run_id cleanup, and pending scheduler state (3d819cd)
• backend:files: prevent file mutations in trash repository (738402c)
• backend:files: split trash retention by repository type (1c490ee)
• backend:files: support trusted private IP downloads (44261ea)
• backend:files: trash retention support with indexing and cleanup (c990335)
• backend:users: add avatar synchronization for OIDC users (8790c19)
• backend:users: add showUngroupedUsers toggle for ungrouped account visibility (2fad377)
• backend:users: convert uploaded avatars to PNG during update (47af28b)
• backend:users: hide all users and groups for guest-link accounts (c5e1988)
• files: add a disabled indexing state and update scheduler/admin indexing workflows (f7fc4f1)
• files: add optional document types for frontend (7e8f64f)
• frontend:files: add binary probe for unknown text files (fea9e17)
• frontend:files: implement common file viewer search (ae3866e)
• frontend:files: improve markdown detection and viewer handling (3d2d871)
• frontend:files: refine file actions for trash and selection menus (666d661)
• frontend:files: refresh MIME metadata after move (bb85795)
• frontend:files: select filename without extension when renaming files (163b5c9)
• frontend:files: start implementing markdown viewer editor (f36a2bc)
• frontend:files: WIP markdown viewer editor (c2bf44f)

Bug Fixes

• backend:files: harden multipart upload replacement (c63f83c)
• backend:files: harden remote downloads against SSRF, redirects, proxy bypasses and oversized streams (22e773e)
• backend:files: make space file lookup resilient to stale kind (5f64673)
• backend:links: ensure tmp path is created after authentication for guest links (d782aaa)
• backend:spaces: invalidate spaces cache when space state changes (0c95836)
• backend:users: restrict usersWhitelist so guests only see shared-group or managed users (17fd9ba)
• backend:users: unify avatar rendering to 512px and tune dynamic font scaling (6ecd91d)
• files,comments: prevent duplicate file rows and handle undefined fileId (c04adef)
• frontend:admin: adjust group dialog spacing (c30b72d)
• frontend:admin: allow admins to see all users when selecting members in spaces and child shares (cba4eeb)
• frontend:auth: handle impersonation logout without token refresh retry and force fallback logout on error (ead2508)
• frontend:files: unlock extensionless text files on viewer close (9595153)
• frontend:files: fix range file selection when filtering is enabled (43125d5)
• frontend:files: hide PDF viewer toggle label on mobile (9d1154e)
• frontend:files: initialize file selection after dialog view init (9d0fe08)
• frontend:files: prevent stale save tooltip in viewers (70b3b98)
• frontend:files: release editable viewer lock on destroy (5fdc7b2)
• frontend:files: unlock text editors on page unload (4f9025e)
• frontend:layout: update hasSubmenus based on visible sidebar submenus (22a9bca)