Skip to content

Thingsboard

Home Automation

Open‑source IoT platform for collecting, processing, visualizing telemetry and managing devices

Track releases GitHub Website
Java Latest v4.3.1.2 · 6d ago Security brief →

Features

  • Provision and manage devices and assets securely with server‑side APIs
  • Collect, store, and visualize telemetry data using built‑in or custom widgets on real‑time dashboards
  • Process and react to incoming data via a powerful rule engine that can transform, normalize, and raise alarms

Recent releases

View all 9 releases →
Upgrade now
v4.3.1.2 Breaking risk
RCE / SSRF Auth Breaking upgrade

CVE fixes + UI & transport improvements

Open
Upgrade now
v4.2.2.2 Security relevant
RCE / SSRF Auth

CVE fixes + module improvements

Open
v4.3.1.1 Security relevant
Security fixes
  • CVE-2026-24308 — Fixed
  • CVE-2026-24281 — Fixed
  • CVE-2026-24400 — Fixed
Full changelog

What's Changed

Security

  • Fixed XSS vulnerability in notification center by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15204
  • Fixed CVE-2026-24308, CVE-2026-24281 and CVE-2026-24400 by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15244
  • Added configurable security headers and env-var-backed CORS configuration by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15254
  • Fixed SSRF DNS rebinding bypass, added allow-list by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15253
  • Fixed CVE-2026-24281, CVE-2026-24308, CVE-2026-24400, CVE-2026-29063, CVE-2026-29087, CVE-2026-29786, CVE-2026-30827, CVE-2026-31802, CVE-2026-32141, CVE-2026-32635, CVE-2026-27904 by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15251
  • Fixed CVE-2026-22731, CVE-2026-22732, CVE-2026-22733, CVE-2026-22737 + Spring Boot 3.5 by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15278
  • Fixed CVE-2026-33228 by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15293
  • Fixed CVE-2026-33870, CVE-2026-33871 and GHSA-72hv-8253-57qq by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15315
  • Fixed CVE-2026-33895, CVE-2026-33894, CVE-2026-33896, CVE-2026-33750, CVE-2026-4923, CVE-2026-33671 by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15322
  • Fixed CVE-2026-0861, CVE-2026-0915, CVE-2025-15281 for Docker images by @ViacheslavKlimov

Core & Rule Engine

  • Sanitize database error messages by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15262
  • Added OTA package data cleanup by @AndriiLandiak in https://github.com/thingsboard/thingsboard/pull/14775
  • Fixed notification requests and RPC cleanup timeout on large datasets by @AndriiLandiak in https://github.com/thingsboard/thingsboard/pull/14762
  • Added WS update on telemetry deletion by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/14781

UI

  • Updated locales da_DK, de_DE, el_GR, es_ES, fr_FR, it_IT, ja_JP, nl_NL, no_NO, pt_BR, tr_TR, uk_UA, zh_CN by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15237
  • Hidden "Show on widgets" button on sysadmin level by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15203
  • Fixed WS reconnect loop and notification spam when session limit is reached by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15219
  • Fixed missing translation for Polylines toggle in map settings by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15252
  • Fixed resetting of validation on storeLink property by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15168
  • Fixed time series table widgets tab style by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15267
  • Fixed proxy error handling for 502/503/504 HTTP status codes by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15292
  • Fixed string-items-list autocomplete selection and blur handling by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15273

Edge

  • Support combined PEM cert+key for Edge gRPC SSL by @smatvienko-tb in https://github.com/thingsboard/thingsboard/pull/15205

Transport

  • MQTTS metrics and client address logging on exceptionCaught by @smatvienko-tb in https://github.com/thingsboard/thingsboard/pull/15112
  • Fixed LwM2M Redis stores startup: use separate connections for SCAN and GET by @smatvienko-tb in https://github.com/thingsboard/thingsboard/pull/15143

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.3.1...v4.3.1.1

View release on GitHub
v4.2.2.1 Security relevant
Security fixes
  • CVE-2026-24308 — XSS vulnerability in notification center
  • CVE-2026-24281, CVE-2026-24400, CVE-2026-29063, CVE-2026-29087, CVE-2026-29786, CVE-2026-30827, CVE-2026-31802, CVE-2026-32141, CVE-2026-32635, CVE-2026-27904
  • CVE-2026-22731, CVE-2026-22732, CVE-2026-22733, CVE-2026-22737 (Spring Boot 3.5 upgrade)
Notable features
  • Configurable security headers via env-var-backed CORS configuration
Full changelog

What's Changed

Security

  • Fixed XSS vulnerability in notification center by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15204
  • Fixed CVE-2026-24308, CVE-2026-24281 and CVE-2026-24400 by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15244
  • Added configurable security headers and env-var-backed CORS configuration by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15254
  • Fixed SSRF DNS rebinding bypass, added allow-list by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15253
  • Fixed CVE-2026-24281, CVE-2026-24308, CVE-2026-24400, CVE-2026-29063, CVE-2026-29087, CVE-2026-29786, CVE-2026-30827, CVE-2026-31802, CVE-2026-32141, CVE-2026-32635, CVE-2026-27904 by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15251
  • Fixed CVE-2026-22731, CVE-2026-22732, CVE-2026-22733, CVE-2026-22737 + Spring Boot 3.5 by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15278
  • Fixed CVE-2026-33228 by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15293
  • Fixed CVE-2026-33870, CVE-2026-33871 and GHSA-72hv-8253-57qq by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15315
  • Fixed CVE-2026-33895, CVE-2026-33894, CVE-2026-33896, CVE-2026-33750, CVE-2026-4923, CVE-2026-33671 by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15322

Core & Rule Engine

  • Sanitize database error messages by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15262
  • Added OTA package data cleanup by @AndriiLandiak in https://github.com/thingsboard/thingsboard/pull/14775
  • Fixed notification requests and RPC cleanup timeout on large datasets by @AndriiLandiak in https://github.com/thingsboard/thingsboard/pull/14762
  • Added WS update on telemetry deletion by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/14781

UI

  • Updated locales da_DK, de_DE, el_GR, es_ES, fr_FR, it_IT, ja_JP, nl_NL, no_NO, pt_BR, tr_TR, uk_UA, zh_CN by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15237
  • Hidden "Show on widgets" button on sysadmin level by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15203
  • Fixed WS reconnect loop and notification spam when session limit is reached by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15219
  • Fixed resetting of validation on storeLink property by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15168
  • Fixed proxy error handling for 502/503/504 HTTP status codes by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15292
  • Fixed string-items-list autocomplete selection and blur handling by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15273

Edge

  • Support combined PEM cert+key for Edge gRPC SSL by @smatvienko-tb in https://github.com/thingsboard/thingsboard/pull/15205

Transport

  • Fixed LwM2M Redis stores startup: use separate connections for SCAN and GET by @smatvienko-tb in https://github.com/thingsboard/thingsboard/pull/15143

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.2.2...v4.2.2.1

View release on GitHub
v4.3.1 Breaking risk
Security fixes
  • CVE-2026-24734 – fixed
  • CVE-2025-66614 – fixed
  • CVE-2025-7783 – fixed
Notable features
  • Angular 20 migration for the UI
  • Cassandra result set byte-size limit added
Full changelog

What's Changed

Security

  • Fixed CVE-2026-24734 and CVE-2025-66614 by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15076
  • Fixed CVE-2025-7783, CVE-2026-26996 and CVE-2026-26960 by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15079
  • Fixed CVE-2026-27903 and CVE-2026-27904 by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15109
  • Added SSRF protection (must be enabled with SSRF_PROTECTION_ENABLED env) by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15123
  • Fixed CWE-770 in Jackson Core (GHSA-72hv-8253-57qq) by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15124
  • Fixed CVE-2026-27970 and CVE-2026-2391 by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15128
  • Fixed CVE-2026-2781, CVE-2026-25646, CVE-2026-21945 and CVE-2026-21932 for Docker images by @ViacheslavKlimov and @smatvienko-tb

Major UI

  • Angular 20 migration by @ikulikov in https://github.com/thingsboard/thingsboard/pull/14944

Core & Rule Engine

  • Fixed getTimeseries API (/{entityType}/{entityId}/values/timeseries) by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15054
  • Added Cassandra result set byte-size limit by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15058
  • Fixed TBEL script execution failures on repeated runs by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15078
  • Fixed blocking JPA queries on access-validator single thread by @dskarzh in https://github.com/thingsboard/thingsboard/pull/15101
  • Fixed preservation of rule node execution counter in delay and deduplication nodes by @dskarzh in https://github.com/thingsboard/thingsboard/pull/15100
  • Improved Apple OAuth2 mapper and refactored OAuth2 client validation by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15120
  • Fixed infinite loop when rule chain input node forwards to its own rule chain by @smatvienko-tb in https://github.com/thingsboard/thingsboard/pull/15102
  • Made max WS message size configurable by @DmytroKhylko in https://github.com/thingsboard/thingsboard/pull/15116

UI

  • Fixed Redirect Url encoding by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/14985
  • Fixed loading and placement of Material icons by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/14959
  • Fixed Popover placement for Marker, Polygon and Circle overlay config by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/14978
  • Fixed adaptive in mail server configuration by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15018
  • Fixed Range and Bar chart limits setup by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/14964
  • Fixed RGBA and HSLA inputs in color picker by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15031
  • Fixed Entity key autocomplete change check by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15080
  • Fixed a race condition causing the toast component by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15071
  • Fixed a race condition when init image map by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15097
  • Fixed default timewindow config in widget editor page by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15108
  • Removed pattern validation from name field on CF by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15142
  • Updated Ukrainian locale by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15096
  • Extend modules map: moment-timezone, canvas-gauges and ngx-hm-carousel added by @ChantsovaEkaterina in https://github.com/thingsboard/thingsboard/pull/15130

Transport

  • Fixed Sparkplug BIRTH message validation for metrics with empty string values by @nickAS21 in https://github.com/thingsboard/thingsboard/pull/14760

Edge

  • Event-sourced propagation for admin settings by @volodymyr-babak in https://github.com/thingsboard/thingsboard/pull/15050

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.3.0.1...v4.3.1

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
21,849
Forks
6,332
Languages
Java TypeScript HTML
View on GitHub Homepage Documentation

Similar tools

ioBroker
Domoticz
Tasmota
kritishmohapatra/micropidash](https:
teslamate

Beta — feedback welcome: [email protected]