Released 2026-07-01

Maintenance and Security release addressing a critical authentication bypass vulnerability in the SOAP API (CVE-2026-47156, thanks to MacCaulay Hudson of watchTowr) as well as 7 other vulnerabilities including SQL injection, remote code execution, Cross-site scripting, missing authorisation and improper input validation (refer to issues in the Change Log for details and security researchers credits). This release also fixes a few bugs, including a regression introduced in 2.28.2.

  • 0037237: [printing] Printing an issue having notes without text triggers PHP error (dregad)
  • 0037250: [ui] The news_list_page.php page does not display news for “All Projects” (community)
  • 0037256: [email] Incorrect log message regarding sent email (community)
  • 0037075: [api soap] SOAP Issue Update Implicitly Reassigns Reporter To The Caller When reporter Is Omitted (dregad)
  • 0037135: [authentication] Fix CSRF validation failure in anonymous login (community)
  • 0037257: [ui] Incorrect identification of a non-default mention tag (dregad)
6 issues View Issues