Oikos

v0.60.3 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 10h Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

docker family family-planner home-automation planner-app privacy-first

+4 more

progressive-web-app pwa self-hosted selfhosted-apps

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 9h

The release restricts access to OpenAPI specs and version information to authenticated users only.

Why it matters: Admin login is now required for /openapi.json, /api/v1/openapi.json, /docs, and the /api/v1/version endpoint reveals exact app version solely to authenticated callers; unauthenticated requests receive limited info or a 404. This reduces exposure of sensitive implementation details.

Summary

AI summary

OpenAPI docs, version endpoint, and auth setup responses are now restricted to authenticated admins.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	/openapi.json, /api/v1/openapi.json, and /docs now require admin login; docs hidden by default (404 unless ENABLE_API_DOCS=true) /openapi.json, /api/v1/openapi.json, and /docs now require admin login; docs hidden by default (404 unless ENABLE_API_DOCS=true) Source: llm_adapter@2026-06-03 Confidence: high	—
Security	High	/api/v1/version returns exact app version only to authenticated callers; unauthenticated requests receive limited info /api/v1/version returns exact app version only to authenticated callers; unauthenticated requests receive limited info Source: llm_adapter@2026-06-03 Confidence: high	—
Security	High	/api/v1/auth/setup returns 404 instead of 403 after initial setup, hiding first‑run admin creation flow from anonymous users /api/v1/auth/setup returns 404 instead of 403 after initial setup, hiding first‑run admin creation flow from anonymous users Source: llm_adapter@2026-06-03 Confidence: high	—
Security	High	Removed deployment host URL and SQLite implementation details (backup endpoints, version schema) from generated OpenAPI spec Removed deployment host URL and SQLite implementation details (backup endpoints, version schema) from generated OpenAPI spec Source: llm_adapter@2026-06-03 Confidence: high	—

Full changelog

Security

Restrict the OpenAPI specification (/openapi.json, /api/v1/openapi.json) and the /docs documentation page to signed-in admins, based on a penetration-test scan (#228). /docs is now hidden entirely in production and returns 404 unless the new optional ENABLE_API_DOCS=true is set, in which case it is exposed to admins only.
GET /api/v1/version now returns the exact application version only to authenticated callers (session or API token). Unauthenticated login and setup pages still receive app_name and setup_required, so version fingerprinting no longer works anonymously.
POST /api/v1/auth/setup responds with 404 instead of 403 in production once initial setup is complete, so the first-run admin-creation flow is no longer confirmed to anonymous visitors.
Remove the deployment host URL and SQLite implementation details (backup endpoint descriptions, version schema) from the generated OpenAPI spec.

Security Fixes

Restricted `/openapi.json`, `/api/v1/openapi.json`, and `/docs` to signed-in admins; `ENABLE_API_DOCS=true` can re‑enable docs for admins.
Limited `GET /api/v1/version` exact version response to authenticated callers only.
Changed `POST /api/v1/auth/setup` production response from `403` to `404` after initial setup, hiding first‑run admin creation flow.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Oikos

Get notified when new releases ship.

About Oikos

Family planner for small households

All releases →