Skip to content

memos

v0.29.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 7d Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

docker go markdown memo microblog note-taking
+6 more
notecard own-your-data react self-hosted social-network sqlite

Affected surfaces

auth deps

ReleasePort's take

Moderate signal
editorial:auto 7d

Version v0.29.0 introduces link metadata APIs and UI cards while hardening security by rejecting DNS rebinding during fetches.

Why it matters: Security fact (severity 90) blocks DNS rebinding attacks when fetching link metadata, directly protecting data integrity for developers, SREs, and security engineers.

Summary

AI summary

Updates Bug Fixes, Memo and Workspace Improvements, and Link Previews and Metadata across a mixed release.

Changes in this release

Security Critical

Rejects DNS rebinding attempts when fetching link metadata.

Rejects DNS rebinding attempts when fetching link metadata.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Medium

Adds link metadata APIs for fetching and batching memo link data.

Adds link metadata APIs for fetching and batching memo link data.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Medium

Renders metadata cards for shared links in the web app.

Renders metadata cards for shared links in the web app.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Medium

Adds SMTP email configuration to instance notification settings.

Adds SMTP email configuration to instance notification settings.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Medium

Provides an API endpoint for testing notification email settings.

Provides an API endpoint for testing notification email settings.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Medium

Exposes provider, model, and prompt configuration for speech‑to‑text transcription.

Exposes provider, model, and prompt configuration for speech‑to‑text transcription.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Medium

Adds faster task interactions for memos containing task lists.

Adds faster task interactions for memos containing task lists.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Medium

Creates memos from the calendar using the selected date.

Creates memos from the calendar using the selected date.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Medium

Provides a dedicated page for managing shortcuts.

Provides a dedicated page for managing shortcuts.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Low

Adds instance resource statistics to admin instance stats.

Adds instance resource statistics to admin instance stats.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Feature Low

Allows filtering of all-user statistics for focused administration views.

Allows filtering of all-user statistics for focused administration views.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Feature Low

Accepts a `--log-level` flag to configure server log verbosity.

Accepts a `--log-level` flag to configure server log verbosity.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Performance Medium

Lazy‑loads heavy dependencies to improve initial screen loading speed.

Lazy‑loads heavy dependencies to improve initial screen loading speed.

Source: llm_adapter@2026-05-27

Confidence: high
Bugfix Medium

Enforces attachment ownership when updating memos.

Enforces attachment ownership when updating memos.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Bugfix Medium

Ensures comments respect the visibility of their parent memo.

Ensures comments respect the visibility of their parent memo.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Bugfix Low

Omits internal settings from user list responses.

Omits internal settings from user list responses.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Bugfix Low

Prevents extra update events when creating memos with attachments.

Prevents extra update events when creating memos with attachments.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Bugfix Low

Syncs profile avatar changes immediately after update.

Syncs profile avatar changes immediately after update.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Bugfix Low

Preserves HDR image metadata in thumbnails and retains motion media payloads during S3 presigned uploads.

Preserves HDR image metadata in thumbnails and retains motion media payloads during S3 presigned uploads.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Bugfix Low

Improves URL paste wrapping and task‑list alignment in the editor.

Improves URL paste wrapping and task‑list alignment in the editor.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Bugfix Low

Corrects frontend static cache headers and public memo sitemap paths.

Corrects frontend static cache headers and public memo sitemap paths.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Bugfix Low

Ensures initial SSE responses stream correctly and handle refresh tokens properly.

Ensures initial SSE responses stream correctly and handle refresh tokens properly.

Source: granite4.1:30b@2026-05-27-audit

Confidence: low
Full changelog

This release adds richer link previews, notification email settings, shortcut and memo workflow improvements, and a set of security, media, and editor fixes. It also adds new instance statistics APIs and performance improvements for the initial screen.

New Features

Link Previews and Metadata

  • Link metadata APIs - Memos now includes endpoints for fetching and batching metadata for links attached to memos.
  • Rendered link cards - The web app can render metadata cards for shared links, making memo references easier to scan.
  • DNS rebinding protection - Link metadata fetching now rejects DNS rebinding attempts.

Notification and Transcription Settings

  • SMTP email settings - Instance notification settings now include SMTP email configuration.
  • Email test endpoint - Admins can test notification email settings through the instance API.
  • Explicit speech-to-text settings - Transcription settings now expose provider, model, and prompt configuration.

Memo and Workspace Improvements

  • Task list quick actions - Memos with task lists now support faster task interactions.
  • Calendar-aware memo creation - Creating a memo from the calendar uses the selected calendar date.
  • Dedicated shortcuts page - Shortcut management is available from a dedicated page.
  • About page and placeholder refresh - The app includes a refreshed about page and new placeholder states.

Administration and Statistics

  • Instance resource statistics - Admin instance stats now include resource statistics.
  • Filtered all-user stats - All-user statistics can be filtered for more focused administration views.
  • Configurable log level - The server now accepts a --log-level flag.

Bug Fixes

  • Attachment ownership enforcement - Memo updates now enforce attachment ownership.
  • Comment visibility - Comments now respect parent memo visibility.
  • User response privacy - User list responses omit internal settings.
  • Memo creation events - Creating memos with attachments no longer emits an extra update event.
  • Avatar sync - Profile avatar changes sync immediately after update.
  • Release media handling - HDR image metadata is preserved in thumbnails, and motion media payloads are preserved through S3 presigned uploads.
  • Editor and markdown polish - URL paste wrapping and task-list alignment are improved.
  • Static cache and sitemap paths - Frontend static cache headers and public memo sitemap paths are corrected.
  • SSE refresh behavior - Initial SSE responses stream correctly and refresh tokens are handled.

Performance Improvements

  • Initial screen loading - Heavy first-screen dependencies are lazy loaded.

New Contributors

  • @Moustafaa91 made their first contribution in https://github.com/usememos/memos/pull/5902
  • @wally-an made their first contribution in https://github.com/usememos/memos/pull/5903
  • @tokenicrat made their first contribution in https://github.com/usememos/memos/pull/5921
  • @mayanksaini18 made their first contribution in https://github.com/usememos/memos/pull/5934
  • @santoshyadavdev made their first contribution in https://github.com/usememos/memos/pull/5954

Full Changelog: https://github.com/usememos/memos/compare/v0.28.0...v0.29.0

Security Fixes

  • DNS rebinding attempts are rejected when fetching link metadata (link previews module)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track memos

Get notified when new releases ship.

Sign up free

About memos

Open-source, self-hosted note-taking tool built for quick capture. Markdown-native, lightweight, and fully yours.

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]