⭐ Highlights

• Integrated Markdown editor: visual/source Markdown editing with tables, task lists, images, code blocks, file locking and unsaved-change protection
• Unified editor search: shared search UI for text and Markdown editors, with result count and previous/next navigation
• Configurable document creation: administrators can show or hide OpenDocument and Microsoft Office templates
• Optional trash retention: automatic cleanup can now be configured separately for user spaces and collaborative spaces
• Improved content indexing: more memory-efficient full-text indexing, batched metadata processing and safer cleanup
• OIDC/LDAP synchronization extended: OIDC avatar synchronization and storage quota synchronization through LDAP attributes or OIDC claims
• User visibility controls: users without a group can now be hidden from global visibility with showUngroupedUsers: false
• Text and Markdown editing improvements: better text file detection and increased edit size limit from 10 MB to 25 MB

🐞 Bug Fixes

• Guest link temporary paths: temporary paths for accounts associated with guest links are now created correctly
• File storage consistency: stronger uniqueness checks prevent rare duplicate file storage cases (@zjean)
• More reliable file unlocking: editable file locks are now released more reliably when editors or the browser are closed
• MIME type updates: MIME types are now recalculated after file rename, move or replacement
• Disabled space trash handling: trash for disabled spaces is now shown as disabled and can no longer be browsed
• Improved file selection: range selection works more reliably with filtering enabled
• Safer renaming: renaming now selects only the file name, without the extension
• Web interface polish: sidebar submenu visibility, table row height, dialog spacing and viewer tooltips were refined

⚠️ Security

• Trash immutability for spaces
  Files in the trash are now treated as read-only items. Modifying files in the trash and creating new files there are now blocked.

• More reliable uploads
  Failed uploads are no longer kept in the destination space. File replacements now use temporary files before replacing the destination.

• Better guest link isolation
  Accounts created from guest links now have restricted visibility over users and groups, limited to their managers and personal groups.

• Fixed a security vulnerability: CVE-2026-47684
  SSRF protection for URL downloads has been strengthened, notably against IPv4-mapped IPv6 bypasses, DNS rebinding, unsafe redirects, proxy bypasses and oversized data streams.
  Reported by @x0root

Contributors: @Stephan-P, @7185, @q16marvin, @zjean, @fyr77, @TheLouD1, @markussbk, @Maxmystere, @romainsady

➡️ Read the release announcement

Features

• backend:auth: allow trusted private IPs for OIDC avatar downloads (9c9b682)
• backend:auth: harden OIDC avatar sync and add avatar metadata tracking (22ac4f0)
• backend:auth: map configurable OIDC/LDAP storage quota to user profile (76b4b8c)
• backend:files: enable HTML-to-text conversion for all base elements (6352393)
• backend:files: optimize content indexing memory usage with batched metadata, run_id cleanup, and pending scheduler state (3d819cd)
• backend:files: prevent file mutations in trash repository (738402c)
• backend:files: split trash retention by repository type (1c490ee)
• backend:files: support trusted private IP downloads (44261ea)
• backend:files: trash retention support with indexing and cleanup (c990335)
• backend:users: add avatar synchronization for OIDC users (8790c19)
• backend:users: add showUngroupedUsers toggle for ungrouped account visibility (2fad377)
• backend:users: convert uploaded avatars to PNG during update (47af28b)
• backend:users: hide all users and groups for guest-link accounts (c5e1988)
• files: add a disabled indexing state and update scheduler/admin indexing workflows (f7fc4f1)
• files: add optional document types for frontend (7e8f64f)
• frontend:files: add binary probe for unknown text files (fea9e17)
• frontend:files: implement common file viewer search (ae3866e)
• frontend:files: improve markdown detection and viewer handling (3d2d871)
• frontend:files: refine file actions for trash and selection menus (666d661)
• frontend:files: refresh MIME metadata after move (bb85795)
• frontend:files: select filename without extension when renaming files (163b5c9)
• frontend:files: start implementing markdown viewer editor (f36a2bc)
• frontend:files: WIP markdown viewer editor (c2bf44f)

Bug Fixes

• backend:files: harden multipart upload replacement (c63f83c)
• backend:files: harden remote downloads against SSRF, redirects, proxy bypasses and oversized streams (22e773e)
• backend:files: make space file lookup resilient to stale kind (5f64673)
• backend:links: ensure tmp path is created after authentication for guest links (d782aaa)
• backend:spaces: invalidate spaces cache when space state changes (0c95836)
• backend:users: restrict usersWhitelist so guests only see shared-group or managed users (17fd9ba)
• backend:users: unify avatar rendering to 512px and tune dynamic font scaling (6ecd91d)
• files,comments: prevent duplicate file rows and handle undefined fileId (c04adef)
• frontend:admin: adjust group dialog spacing (c30b72d)
• frontend:admin: allow admins to see all users when selecting members in spaces and child shares (cba4eeb)
• frontend:auth: handle impersonation logout without token refresh retry and force fallback logout on error (ead2508)
• frontend:files: unlock extensionless text files on viewer close (9595153)
• frontend:files: fix range file selection when filtering is enabled (43125d5)
• frontend:files: hide PDF viewer toggle label on mobile (9d1154e)
• frontend:files: initialize file selection after dialog view init (9d0fe08)
• frontend:files: prevent stale save tooltip in viewers (70b3b98)
• frontend:files: release editable viewer lock on destroy (5fdc7b2)
• frontend:files: unlock text editors on page unload ([4f9025e](4f9025e...

Security

• deps: update Fastify to 5.8.5 to address CVE-2026-33806

Features

• admin: add indexing box to admin tools (8686147)
• backend:files: treat "_" as a term boundary in regex search (bcd3577)

Bug Fixes

• backend:files: add support for page rotation during OCR extraction (6837cc4)
• backend:files: handle axios content-length header as number-safe value (3599ccb)

⭐ Highlights

• Full-text search upgrade: PDF OCR indexing and Markdown content indexing
• Admin improvements: spaces can now be created/managed from the administration UI, with direct quota management
• New file event system: automatic storage usage recalculation and full-text reindexing
• Guest management enhancement: managers can now administer guests’ personal groups from profile settings
• LDAP support extended with tlsOptions (including ca, rejectUnauthorized, etc.)
• Better PDF experience: pdf.js is now the default viewer, with edit-mode fallback to OnlyOffice. Thanks @zjean
• Reliability : indexing scheduler concurrency fix, cache/WebDAV/URL fixes.

⚠️ Security

• Basic Auth security hardening
  The cache key is now based on a hash, eliminating case-related collisions and preventing the storage of decodable identifiers.
  Thanks @zalo-alex and @naif-alfardan

• Fixed a security vulnerability: CVE-2026-41161 GHSA-43fj-qp3h-hrh5
  A flaw allowed user account enumeration via the login endpoint through response time analysis, particularly in brute-force scenarios.
  Reported by @ppfeister, fixed by @7185

➡️ Read the release announcement

Features

• admin: allow managing spaces from the admin section (9822209)
• backend:auth: add tlsOptions support for ldap provider (2042ade)
• backend:files: add indexing support for markdown files (abf59e7)
• backend:files: add pdf ocr indexing (d37c531)
• backend:files: add support for configurable OCR language paths (48443aa)
• backend:files: align emitted FileEvent actions with real file mutations (e0c7175)
• backend:files: emit file event on document modification (e7ed38c)
• backend:files: extend indexing key generation for anchored roots (824bff8)
• backend:files: implement file event manager (c9951d7)
• backend:files: implement incremental indexing triggers for full-text search (468c1c3)
• backend:infrastructure: allow null or undefined args in cache key slug generation (9d661ea)
• backend:users: allow searching groups by description (434bd30)
• frontend:admin: show cumulative storage usage for users and spaces (5af4996)
• frontend: extend group parent model with description and adjust anchor file dialog layout (01bc72b)
• users: allow to manage personal groups from the guest profile dialog (c5d3c70)

Bug Fixes

• backend:auth: derive basic auth cache key from hashed credentials instead of Authorization header (be98def)
• backend:auth: prevent user enumeration via timing attacks (80eebf3)
• backend:files: ensure content indexing scheduling has no parallel executions (0bef5a6)
• backend:files: ensure storage quota is updated in cache (030b87e)
• backend:files: handle locks without scope in checkConflicts (f9bcbde)
• backend:files: handle optional chaining in indexing key generation (2b2c238)
• backend:users: ensure whitelist cache entries with parameters are properly cleared (5e21b8d)
• backend:users: handle guest login rename without space location rename (2627d2d)
• backend:users: sanitize group and app password names for safe route params (d1b21a8)
• backend:webdav: restore access to shares repository via WebDAV (bec04e1)
• files: encode special characters not handled by AuthInterceptor (d9e81f0)
• files: handle document-open error messages for HEAD requests (328d823)
• frontend:users: add button behavior inside groups (d13132a)
• users: ensure guests cannot be elected as group managers (24e0d57)

⭐ Highlights

• 🎨 Major frontend UI refresh for a cleaner, more modern experience
• 🔐 New OIDC provider toggle: security.supportPKCE for PKCE flow control
• 🐳 Docker enhancement: new FORCE_PERMISSIONS env var to enforce data file permissions (@7185)
• 🌍 Internationalization update: Dutch (nl) locale added (@Stephan-P)
• 🕒 Database reliability: MySQL connections now consistently use UTC timezone
• 📂 File handling hardening: better PDF cleanup and safer directory scanning (skips unreadable paths)
• ➕ Additional quality and stability improvements across backend and frontend

➡️ Read the release announcement

Features

• frontend refresh UI (#127)
• backend:auth: add toggle for security.supportPKCE in OIDC provider (d90cbf7)
• docker: add FORCE_PERMISSIONS variable to set permissions on data files (1eb57d6)
• frontend:i18n: add nl (4c3a0cb)

Bug Fixes

• backend:database: ensure MySQL connection uses UTC timezone (e7d2ed9)
• backend:files: avoid buffer copy and ensure PDF document cleanup (f28c71b)
• backend:files: skip unreadable directories when walking for size and entry counts (6b0a6a7)
• frontend:recents: move user avatar tooltip container to body to fix overlap with card (5029911)

⭐ Highlights

• 🆔 OpenID Connect (OIDC) authentication support
• ⚠️ Breaking change: authentication configuration renamed and refactored
• 🔐 New authentication architecture enabling Desktop & CLI registration via OIDC
• 🏢 Advanced LDAP support (service bind, admin break-glass, DN/CN, auto user & permissions)
• 🔑 Support for OTP recovery codes and application-based client registration
• 🧩 Improved configuration validation and error diagnostics
• ✨ User experience improvements (recent items redesign, file rename behavior)
• 📊 JSON logging output for improved observability
• ➕ And many other improvements and refinements

➡️ Read the release announcement

⚠ BREAKING CHANGES

• auth: rename method to provider in AuthConfig and replace authMethod with authProvider for naming consistency (9d187e0)
• backend:auth:ldap: move adminGroup to options (96d52c9)

Features

• auth:oidc: enhance OIDC configuration (8bcf35d)
• auth:oidc: revise authentication flow logic (abb9979)
• auth:sync: introduce registerWithAuth to enable desktop client registration from external process (OIDC) (b6525ec)
• auth: implement OIDC authentication support and refactor auth providers (28bbf1d)
• auth: refactor authentication services and add desktop client registration support (08c6e0f)
• auth: support desktop app OIDC authentication flow (0d6963f)
• backend:auth:ldap: add service bind support, adminGroup DN/CN handling, optimized search flow, tests, and updated docs (f7b9d0f)
• backend:auth:ldap: add autoCreateUser and autoCreatePermissions (96d52c9)
• backend:auth: add LDAP/OIDC local password fallback and admin break-glass access (23a93b5)
• backend:config: improve error messages for environment config validation (a5df529)
• backend:sync: add support for TOTP recovery codes during client registration (3cb3ea4)
• backend:sync: improve sync path error handling and enforce subdirectory selection (549ada3)
• backend: add jsonOutput option to logger (02cbe04)
• frontend:spaces: improve server connection error handling and UI feedback (097b230)
• frontend/backend: add client auth scope for password-based apps to register servers across desktop apps and CLI (5f131bf)
• frontend: allow filename rename validation on blur (da930b8)
• frontend: restyle recents widget (9845502)
• frontend: update widget badge styles and color scheme (10feb97)

Bug Fixes

• backend:webdav: ensure lock paths in headers are decoded correctly (ceb2f38)
• backend:webdav: set correct http status line (a651fc3)
• frontend:routes: remove redundant canActivateChild guard from app routes (3b5a80a)
• frontend:spaces: remove tap directive keyboard handler blocking spaces in edit input and preserve whitespace in displayed file name (e0b328b)

Security

• backend: upgrade tar to 7.5.4 (GHSA-8qq5-rm4j-mr97) (a42c1079)

Features

• frontend: add delayed auto-collapse functionality for right sidebar (315bad2)

Bug Fixes

• auth:webdav basic auth fails with ":" in password (#104) (9671b71)
• backend:comments: refine file path query for better handling of space roots (5b0c8ff)
• backend:webdav: treat PUT requests as binary streams to avoid body parsing (edc291c)

⭐ Highlights

• 📝 Collabora Online integration
  Collaborative online editing based on open standards, with native support for OpenDocument formats and compatibility with Microsoft Office formats.

• 🔀 Intelligent multi-editor management
  Automatic selection of the most appropriate editor based on the document format, with the ability to set a default editor.

• 🔗 Enhanced public links
  Access, view, and edit documents directly through public links, depending on formats and access rights.

• ⚙️ Platform evolution
  Migration to Node.js 24, while maintaining compatibility with Node.js 22, improving stability and performance.

Features

• backend/frontend:files: improve file locking logic, enhance compatibility across apps such as WebDAV and Collabora and OnlyOffice (9eb5a17)
• files: add Collabora Online integration to Docker setup (abe4fa4)
• files: collabora online integration (dabeff6)
• files: Collabora Online integration, multi-editor support, and improved file locking (e6bedc1)
• files: improve editor selection and add editor preference support (8fea357)
• frontend/backend:files: simplify file opening flow and improve readonly handling (6563f44)
• links: allow direct access to spaces via public links; add file preview/edit/download; improve password validation (5102e9a)

Bug Fixes

• backend:files-scheduler: correct ordering of recent files (aea6bcd)
• backend:shares: clear cached permissions when share link permissions are changed (95a455b)
• backend:spaces: apply MODIFY permission for PUT requests on existing files instead of ADD when the resource exists (e73ae93)
• backend:webdav: properly handle HEAD requests on directories, match lock source file when the file is a space root and extend lock owner information (f1f4836)
• docker:collabora: add capabilities for debian based hosts (9275df6)
• frontend:auth: ensure server config is initialized during authentication to prevent OTP prompt from not appearing on desktop (e0053ae)
• frontend:files: adjust badge styles to use white-space-normal for consistent text wrapping (615ea00)
• frontend:files: correct writeable condition (288193e)
• frontend:files: load tasks only when a user is logged in to prevent interceptor redirects when refreshing a public link URL (bda58d6)
• frontend:i18n: remove explicit 'en' locale definition to prevent bs-datepicker translation conflicts (13529f1)
• frontend:spaces: display deactivation date when space is disabled (7df2535)

Bug Fixes

• backend:files: skip adding recents for trashed files (c445196)
• backend:schedulers: resolve scheduled methods being skipped because of Timeout decorator overlap (50f4140)
• frontend:files: enable autoplay for video in media viewer component (20fe25f)
• frontend:files: remove hidden class from buttons for consistent visibility across breakpoints (a60538a)
• frontend:files: update file metadata timestamps on save and align OnlyOffice state change handlers (db768e1)
• frontend:search: improve search input layout and update filter button visibility for responsiveness (09ebce6)
• frontend:spaces: show disabled space message to space managers (f8bcdf7)

Security Fixes

• backend:security: prevent stored XSS by serving files with Content-Disposition: attachment to avoid arbitrary JavaScript execution in the browser (a6276d0)

Bug Fixes

• ci: update Dockerfile to use alpine3.22 to avoid errors with busybox-1.37.0-r29 (ede1bec)
• backend:users: clear whitelist caches when group visibility changes (071c3ae)
• frontend:files: fix DataTransfer usage after async operations and delay overwrite until analysis completes to restore overwrite on dropped files (d9935e5)
• frontend:styles: add min-width on app-auth background class (dffd5e5)

Community Highlights ❤️

We would like to thank @x0root for reporting this vulnerability and helping improve the security of the project.