This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+1 more
ReleasePort's take
Light signalRelease v1.28.4 fixes massive API payload bloat by cleaning corrupted AI object metadata, cutting JSON size by 8.5 MB.
Why it matters: Patch to v1.28.4 immediately if your backend experiences large JSON payloads; the fix reduces response size by 8.5 MB and prevents related performance degradation.
Summary
AI summaryFixed massive API payload bloat by cleaning corrupted AI object metadata, reducing JSON size by 8.5 MB.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Schema Hardening implemented strict Pydantic-level length constraints (2000 chars) for AI object settings to prevent database exhaustion attacks. Schema Hardening implemented strict Pydantic-level length constraints (2000 chars) for AI object settings to prevent database exhaustion attacks. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
RBAC Audit verified integrity of all administrative and media endpoints via comprehensive security audit suite. RBAC Audit verified integrity of all administrative and media endpoints via comprehensive security audit suite. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Dependency | Medium |
Security Policy updated SECURITY.md to reflect latest architectural improvements and performance optimizations. Security Policy updated SECURITY.md to reflect latest architectural improvements and performance optimizations. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Performance | Medium |
Turbocharged Backend resolved massive API payload bloat issue reducing 8.5MB JSON size by cleaning corrupted AI object metadata. Turbocharged Backend resolved massive API payload bloat issue reducing 8.5MB JSON size by cleaning corrupted AI object metadata. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Performance | Medium |
Optimized Logging re-engineered TokenRedactingFilter with high-performance fast-fail keyword check ensuring sub-millisecond log processing even with large diagnostic messages. Optimized Logging re-engineered TokenRedactingFilter with high-performance fast-fail keyword check ensuring sub-millisecond log processing even with large diagnostic messages. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Frontend Sanitation patched AI Tab settings logic eliminating character-spread duplication bug ensuring data remains clean and structured. Frontend Sanitation patched AI Tab settings logic eliminating character-spread duplication bug ensuring data remains clean and structured. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Refactor | Medium |
Engine Resilience hardened AI Engine's hardware initialization logic with smarter fallback mechanism between EdgeTPU and CPU interpreters. Engine Resilience hardened AI Engine's hardware initialization logic with smarter fallback mechanism between EdgeTPU and CPU interpreters. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Other | Medium |
Knowledge Sync synchronized technical Wiki with marketing site including new guides on troubleshooting and resource exhaustion prevention. Knowledge Sync synchronized technical Wiki with marketing site including new guides on troubleshooting and resource exhaustion prevention. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
Full Changelog: https://github.com/spupuz/VibeNVR/compare/v1.28.3...v1.28.4
🚀 Release v1.28.4 - Performance & Integrity Hardening
📝 Summary
This release focuses on critical system stability and architectural hardening. We have successfully neutralized a severe performance bottleneck caused by configuration data corruption while implementing robust safeguards to ensure VibeNVR remains lightweight and responsive under all conditions.
🛠️ Key Improvements
⚡ System Performance & Reliability
- 🚀 Turbocharged Backend: Resolved a massive API payload bloat issue (8.5MB JSON reduction) by cleaning corrupted AI object metadata.
- 📉 Optimized Logging: Re-engineered the
TokenRedactingFilterwith a high-performance fast-fail keyword check, ensuring sub-millisecond log processing even with large diagnostic messages. - 🧬 Engine Resilience: Hardened the AI Engine's hardware initialization logic with a smarter, more reliable fallback mechanism between EdgeTPU and CPU interpreters.
🛡️ Security & Data Integrity
- 🏗️ Schema Hardening: Implemented strict Pydantic-level length constraints (2000 chars) for AI object settings to prevent future database exhaustion attacks.
- 🧼 Frontend Sanitation: Patched the AI Tab settings logic to eliminate the "character-spread" duplication bug, ensuring data remains clean and structured.
- 🕵️ RBAC Audit: Verified the integrity of all administrative and media endpoints via a comprehensive security audit suite.
📚 Documentation & Observability
- 📖 Knowledge Sync: Synchronized the technical Wiki with the marketing site, including new guides on troubleshooting and resource exhaustion prevention.
- 🔐 Security Policy: Updated
SECURITY.mdto reflect the latest architectural improvements and performance optimizations.
Status: Stable & Verified ✅
Auditor: Antigravity AI
Security Fixes
- Added Pydantic length constraints (2000 chars) to AI object settings to prevent database exhaustion attacks
- Patched AI Tab settings logic to eliminate character‑spread duplication bug
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About spupuz/VibeNVR
All releases →Related context
Related tools
Earlier breaking changes
- v1.28.3 Must update docker-compose.yml with TZ variable for all services
Beta — feedback welcome: [email protected]