Skip to content

Thingsboard

v4.2.2.2 Security

This release includes 27 security fixes for security teams reviewing exposed deployments.

Published 6d Home Automation
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 27 known CVEs

Topics

big-data cloud coap-server dashboards http iiot
+12 more
iot iot-analytics iot-framework iot-platform iot-solutions lwm2m-server microservices middleware mqtt snmp thingsboard visualization

Affected surfaces

rce_ssrf auth

Summary

AI summary

Multiple CVEs fixed, including CWE-770 and SSRF vulnerabilities, across UI, Core & Rule Engine, and Transport.

Full changelog

What's Changed

Security

  • Fixed CWE-770 in Jackson Core by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15368
  • Fixed CVE-2026-34487, CVE-2026-34486, CVE-2026-34483 by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15417
  • Fixed CVE-2025-70340: system alarm comments access control by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15377
  • Fixed multiple CVEs: 2026-39364, 2026-39363, 2026-4800 by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15466
  • Fixed CVE-2026-40895 by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15538
  • Fixed CVE-2026-5588, CVE-2026-5598, CVE-2025-14813, CVE-2026-35554, CVE-2026-27314 by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15458
  • Fixed CVE-2026-40975, CVE-2026-40973, CVE-2026-22740, CVE-2026-42198 by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15557
  • Fixed SSRF vulnerability in AI model provider URLs by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15412
  • Fixed SSRF and file access vulnerabilities in TBEL script sandbox by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15585
  • Fixed CVE-2026-40682, CVE-2026-42027 by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15588
  • Fixed CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587 by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15598
  • Hardened remote JS executor script invocation by @smatvienko-tb in https://github.com/thingsboard/thingsboard/pull/15600
  • Fixed CVE-2026-41284, CVE-2026-43512 by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15649

Core & Rule Engine

  • Performance and reliability improvements for Efento message processing by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15333
  • Exposed HTTP response compression configuration params by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15520
  • LZ4 compression support for Kafka by @volodymyr-babak in https://github.com/thingsboard/thingsboard/pull/15565
  • Fixed WS sessions limit handling for public users by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15313
  • Fixed REST API Call node blocking actor thread and semaphore permit leak by @smatvienko-tb in https://github.com/thingsboard/thingsboard/pull/15334
  • Fixed entity filtering by boolean data key for EDQS by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15457
  • Fixed MAX aggregation for mixed double and long telemetry values by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15560
  • Added config property to control null ordering in dashboards by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15425

UI

  • Bumped Node.js version from 22.18.0 to 22.22.2 by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15330
  • HTML container widget by @ikulikov in https://github.com/thingsboard/thingsboard/pull/15556
  • Hidden "Add Telemetry" button for Entity view by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15362
  • Added '@angular/core/rxjs-interop' to modules map by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15373
  • Fixed select options being clipped in widget settings form by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15399
  • Fixed display long texts in Alarm asignee panel by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15408
  • Fixed Alarm Assignee icon placement by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15423
  • Adjusted size of entity type select to fit error message by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15427
  • Fixed show/hide of custom header actions when using function to control visibility by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15430
  • Fixed not set pageSize to child nodes in Entities hierarchy widget by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15433
  • Fixed not process aggregation keys in Entities hierarchy widget by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15434
  • Fixed map shape labels drifting from center after viewport resize by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15531
  • Fixed CSV import not unescaping double quotes in unquoted fields by @ChantsovaEkaterina in https://github.com/thingsboard/thingsboard/pull/15581

Transport

  • Added automatic SSL/TLS certificate reload for transports without service restart by @AndriiLandiak in https://github.com/thingsboard/thingsboard/pull/15301
  • Fixed app hanging on MQTT port conflict at startup by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15451
  • SNMP: defer querying tasks until transport session is registered by @volodymyr-babak in https://github.com/thingsboard/thingsboard/pull/15346

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.2.2.1...v4.2.2.2

Security Fixes

  • Fixed CWE-770 vulnerability in Jackson Core
  • Fixed CVE-2026-34487, CVE-2026-34486, CVE-2026-34483
  • Fixed CVE-2025-70340: system alarm comments access control
  • Fixed multiple CVEs: 2026-39364, 2026-39363, 2026-4800
  • Fixed CVE-2026-40895
  • Fixed CVE-2026-5588, CVE-2026-5598, CVE-2025-14813, CVE-2026-35554, CVE-2026-27314
  • Fixed CVE-2026-40975, CVE-2026-40973, CVE-2026-22740, CVE-2026-42198
  • Fixed SSRF vulnerability in AI model provider URLs
  • Fixed SSRF and file access vulnerabilities in TBEL script sandbox
  • Fixed CVE-2026-40682, CVE-2026-42027
  • Fixed CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587
  • Hardened remote JS executor script invocation
  • Fixed CVE-2026-41284, CVE-2026-43512
  • CVE-2026-34486
  • CVE-2026-34483
  • CVE-2026-5598
  • CVE-2025-14813
  • CVE-2026-35554
  • CVE-2026-27314
  • CVE-2026-40973
  • CVE-2026-22740
  • CVE-2026-42198
  • CVE-2026-42027
  • CVE-2026-42583
  • CVE-2026-42584
  • CVE-2026-42587
  • CVE-2026-43512
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Thingsboard

Get notified when new releases ship.

Sign up free

About Thingsboard

Open-source IoT Platform - Device management, data collection, processing and visualization.

All releases →

Related context

Beta — feedback welcome: [email protected]