This release includes 4 security fixes for security teams reviewing exposed deployments.
Topics
Affected surfaces
ReleasePort's take
Light signalv4.3.2 removes the legacy /api/nodes/security-issues endpoint and gates API access with role-based permissions. Security fixes include SQLite column validation, message search access control, and traceroute history permission enforcement.
Why it matters: Migrate code from deprecated endpoint immediately. Permission gates (security:read, traceroute:read) now enforce access control—test in dev. SQLite validation prevents injection; apply before accepting untrusted query input.
Summary
AI summaryRemoved the legacy /api/nodes/security-issues endpoint.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
block message search when user has zero channel permissions block message search when user has zero channel permissions Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Security | Medium |
gate /api/traceroutes/history with traceroute:read gate /api/traceroutes/history with traceroute:read Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
add showTraceroutes toggle to embed profiles add showTraceroutes toggle to embed profiles Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
add MeshMonitor Chat for iOS to Third-Party Clients documentation add MeshMonitor Chat for iOS to Third-Party Clients documentation Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Deprecation | Medium |
remove legacy /api/nodes/security-issues endpoint remove legacy /api/nodes/security-issues endpoint Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
keep uploadPhase on error so half-flash detection works keep uploadPhase on error so half-flash detection works Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
scope purgeAllNodes / purgeAllTelemetry by sourceId scope purgeAllNodes / purgeAllTelemetry by sourceId Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
scope OTA gateway IP to the active source scope OTA gateway IP to the active source Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
validate column names in SQLite validate column names in SQLite Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
gate legacy /api/nodes/security-issues with security:read gate legacy /api/nodes/security-issues with security:read Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
align LXC template Node version with runtime align LXC template Node version with runtime Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Refactor | Medium |
gate cleanup with requireAdmin instead of redundant checks gate cleanup with requireAdmin instead of redundant checks Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Other | Medium |
add `source.status_disconnected` key across locales add `source.status_disconnected` key across locales Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
Patch release rolling up fixes landed since 4.3.1.
Fixes
- #3001 fix(firmware): keep uploadPhase on error so half-flash detection works (no more false-positive half-flash markers from commit-OK ECONNRESET)
- #2998 chore: remove legacy /api/nodes/security-issues endpoint
- #2997 fix(sourcey): scope purgeAllNodes / purgeAllTelemetry by sourceId
- #2992 feat(embed): add showTraceroutes toggle to embed profiles
- #2981 fix(firmware): scope OTA gateway IP to the active source
- #2989 fix(sourcey): scope telemetry types and localNodeNum by sourceId
- #2986 fix(auth): mount optionalAuth() in front of permission-gated router
- #2983 fix(security): allowlist tables and validate column names in SQLite
- #2982 fix: replace hasPermission non-null assertions with null-safe guards
- #2980 fix(security): gate legacy /api/nodes/security-issues with security:read
- #2978 fix(security): block message search when user has zero channel permissions
- #2977 fix(security): gate /api/traceroutes/history with traceroute:read
- #2976 fix(lxc): align LXC template Node version with runtime
- #2975 refactor(audit): gate cleanup with requireAdmin instead of redundant checks
Refactors / Internals
- refactor(sourcey): extract resolveSourceManager helper, retire 65 inline lookups
- refactor(backup): unify SQLite path with Drizzle misc repository
- chore(eslint): close
const db = …; db.prepare()escape hatch in no-raw-sql
Docs / i18n
- #2979 docs: add MeshMonitor Chat for iOS to Third-Party Clients
- #2874 Translations update from Hosted Weblate
- i18n: add
source.status_disconnectedkey across locales
Full Changelog: https://github.com/Yeraze/meshmonitor/compare/v4.3.1...v4.3.2
🚀 MeshMonitor v4.3.2
📦 Installation
Docker (recommended):
docker run -d \
--name meshmonitor \
-p 8080:3001 \
-v meshmonitor-data:/data \
ghcr.io/Yeraze/meshmonitor:4.3.2
🧪 Testing
✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7
🚀 MeshMonitor v4.3.2
📦 Installation
Docker (recommended):
docker run -d \
--name meshmonitor \
-p 8080:3001 \
-v meshmonitor-data:/data \
ghcr.io/Yeraze/meshmonitor:4.3.2
🧪 Testing
✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7
📋 Changes
See commit history for detailed changes.
Breaking Changes
- Removed legacy /api/nodes/security-issues endpoint
Security Fixes
- Allowlist tables and validate column names in SQLite
- Gate legacy /api/nodes/security-issues with security:read permission
- Block message search when user has zero channel permissions
- Gate /api/traceroutes/history with traceroute:read permission
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Yeraze/meshmonitor
All releases →Related context
Related tools
Earlier breaking changes
- v4.7.2 Route `destination` field now rejects non‑8‑hex nodeId or 64‑hex publicKey, returning HTTP 400.
Beta — feedback welcome: [email protected]