This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
+8 more
Affected surfaces
Summary
AI summaryAuthentication flows were rebuilt, hardened, and reset codes are now atomic.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Refresh tokens are single-use and deleted on rotation/logout. Refresh tokens are single-use and deleted on rotation/logout. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Security | Medium |
Logout ends only the current session; "log out everywhere" reserved for password change / 2FA enrollment. Logout ends only the current session; "log out everywhere" reserved for password change / 2FA enrollment. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Security | Medium |
Reset-by-code consumption + password update are atomic. Reset-by-code consumption + password update are atomic. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Security | Medium |
OAuth email is lowercased at the boundary; invite races and seat-count edges tightened. OAuth email is lowercased at the boundary; invite races and seat-count edges tightened. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Security | Medium |
Login no longer runs invite/side effects before password verification. Login no longer runs invite/side effects before password verification. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Feature | Medium |
Self-serve project selection for users with no active project. Self-serve project selection for users with no active project. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Performance | Medium |
Project initialization batched into far fewer queries. Project initialization batched into far fewer queries. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Bugfix | Medium |
Logout / account-switch hard-loads a clean login page, removing `?next` flash and leaked pages. Logout / account-switch hard-loads a clean login page, removing `?next` flash and leaked pages. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Bugfix | Medium |
Cross-tab auth sync: login/logout/register reloads others onto shared session; stale-tab drift self-recovers. Cross-tab auth sync: login/logout/register reloads others onto shared session; stale-tab drift self-recovers. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Bugfix | Medium |
Auth pages gate on globalConfig and read it from a single source, eliminating duplicate queries. Auth pages gate on globalConfig and read it from a single source, eliminating duplicate queries. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Bugfix | Medium |
Invite email now renders the project name correctly. Invite email now renders the project name correctly. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Refactor | Medium |
Authentication flows (sign-up, login, forgot-password, team invites, logout) were rebuilt and hardened. Authentication flows (sign-up, login, forgot-password, team invites, logout) were rebuilt and hardened. Source: granite4.1:30b@2026-05-20-audit Confidence: low |
— |
Full changelog
Authentication overhaul: sign-up, login, forgot-password, team invites and
logout were rebuilt and hardened end to end, plus self-serve project selection.
Highlights
- Reworked auth flows — invite rebuilt, reset-password folded into the login
page, reset codes hardened, and the whole signup/login/invite path tightened. - Self-serve project selection — a user with no active project now lands on a
dedicated page to create or pick one, instead of a silent "Unnamed Project"
bootstrap or a blank admin shell.
Security
- Login no longer runs invite/side effects before the password is verified, and
invites are bound to the recipient's email. - Refresh tokens are single-use and deleted on rotation/logout (no more
unboundedrevokedrows); a daily job sweeps expired rows. - Logout ends only the current session; "log out everywhere" stays reserved
for password change / 2FA enrollment. - Reset-by-code consumption + password update are atomic; OAuth email is
lowercased at the boundary; invite races and seat-count edges tightened.
Fixes
- Logout / account-switch hard-loads a clean login page — no
?nextflash and
no leaking of the page you just left. - Cross-tab auth sync: login/logout/register in one tab reloads the others onto
the shared session; stale-tab drift on email-link flows self-recovers. - Auth pages gate on globalConfig (no OAuth-button flash) and read it from a
single source (no duplicate queries / double loading). - Invite email now renders the project name correctly.
Performance
- Project initialization batched into far fewer queries.
Breaking Changes
- Logout now ends only the current session; 'log out everywhere' is reserved for password change/2FA enrollment.
Security Fixes
- Login performs password verification before running invite side effects; invites are bound to recipient's email.
- Refresh tokens become single‑use and are deleted on rotation/logout; daily job sweeps expired rows.
- Reset‑by‑code consumption + password update are atomic; OAuth email lowercased at boundary; invite races and seat‑count edges tightened.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About usertour
Usertour is an open-source user onboarding platform. It allows you to create in-app product tours, checklists, and surveys in minutes—effortlessly and with full control.The open-source alternative to Userflow and Appcues
Related context
Related tools
Beta — feedback welcome: [email protected]