Oikos

v0.71.12 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

docker family family-planner home-automation planner-app privacy-first

+4 more

progressive-web-app pwa self-hosted selfhosted-apps

Affected surfaces

auth

ReleasePort's take

Light signal

editorial:auto 3d

OIDC account linking now enforces a strict `email_verified === true` check by default; administrators can override this requirement using the new `OIDC_TRUST_EMAIL_WITHOUT_VERIFIED_CLAIM` environment variable.

Why it matters: The update mandates verified email claims for OIDC linkings, enhancing security; however, admins may bypass it via the OIDC_TRUST_EMAIL_WITHOUT_VERIFIED_CLAIM env var if needed.

Summary

AI summary

OIDC account linking now requires verified emails by default; admins can opt in with OIDC_TRUST_EMAIL_WITHOUT_VERIFIED_CLAIM.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Restores strict `email_verified === true` check for OIDC account linking. Restores strict `email_verified === true` check for OIDC account linking. Source: llm_adapter@2026-06-11 Confidence: high	—
Feature	Low	Adds `OIDC_TRUST_EMAIL_WITHOUT_VERIFIED_CLAIM` env var for opt‑in linking when `email_verified` claim is missing. Adds `OIDC_TRUST_EMAIL_WITHOUT_VERIFIED_CLAIM` env var for opt‑in linking when `email_verified` claim is missing. Source: llm_adapter@2026-06-11 Confidence: high	—

Full changelog

Security

OIDC account linking (revert v0.71.11): the relaxed email_verified !== false check introduced in v0.71.11 is replaced with a strict opt-in. The default is restored to email_verified === true required; the new OIDC_TRUST_EMAIL_WITHOUT_VERIFIED_CLAIM=true env var lets admins opt in explicitly for IdPs that omit the claim but only issue verified addresses.

Added

OIDC_TRUST_EMAIL_WITHOUT_VERIFIED_CLAIM env var (opt-in): set to true to allow account linking when the IdP omits the email_verified claim entirely. Only enable this for IdPs fully under your control that never issue unverified email addresses (e.g. older Authentik deployments without an explicit email_verified property mapping).

Security Fixes

Reverted relaxed `email_verified !== false` check; restored strict `email_verified === true` requirement in OIDC account linking (addresses security regression introduced in v0.71.11)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Oikos

Get notified when new releases ship.

About Oikos

Family planner for small households

All releases →

Related context

Related tools

Earlier breaking changes

v0.71.3 Changes WebDAV backup default path from "/oikos/backups/" to "/yuvomi/backups/".
v0.66.0 Repository URL changed to `https://github.com/ulsklyc/yuvomi`.
v0.66.0 Docker image moved to `ghcr.io/ulsklyc/yuvomi`.
v0.66.0 Project renamed from Oikos to Yuvomi.
v0.62.0 Changes event dialog to unified sync target picker across Google and CalDAV calendars.