OpenHands/OpenHands cloud-1.39.0

cloud: 1.39.0

on GitHub

1.39.0 (2026-06-24)

What's Changed

Features

• feat: move existing users into the default org when first auto-added by @ak684 in #14740
• feat: route unclaimed automation events to the default org on single-org installs by @ak684 in #14745
• feat: add hide_personal_workspaces flag for org-only OHE installs by @ak684 in #14741
• feat: make the first signed-in user the default org owner, track the org by is_default flag by @ak684 in #14752
• feat(acp): add switch_acp_model proxy endpoint for cloud conversations by @simonrosenberg in #14744
• feat(acp): add model dropdown and credential fields to agent settings page by @simonrosenberg in #14733
• feat: add validation for secret names to ensure valid env var format by @jpshackelford in #12980
• feat: auto-accept invitation links instead of the confirm/cancel modal by @ak684 in #14786
• feat: expose copyable invite links so invitations work without email delivery by @ak684 in #14758
• feat: accept pending invitations by verified-email match at sign-in by @ak684 in #14759
• feat: explicit OH_DEPLOYMENT_MODE flag; gate cloud-account CTA to enterprise cloud by @ak684 in #14794
• feat: OHE multi-model LLM discovery + BYOK gating (proxy discovery, catalogue union, UX) by @ak684 in #14773
• feat(acp): allow MCP server config for ACP agents by @simonrosenberg in #14613
• feat: enforce conversation limits by @HeyItsChloe in #14168
• feat(APP-2136): expose automations menu item for all users by @erisfully in #14688
• feat(jira-dc): persist and inject per-user OAuth tokens in resolver conversations by @ak684 in #14650
• feat(jira-dc): share linked OAuth token with eligible conversations by @ak684 in #14697
• feat: add DynamicRemoteSandboxSpecService backed by runtime-api warm configs by @tofarr in #14849
• feat: encode harness in chip icon, surface model in chip text by @simonrosenberg in #14510
• feat: PLTF-2956 parallelize GitHub GraphQL queries in get_suggested_tasks by @aivong-openhands in #14821
• feat: surface a clear error when a custom sandbox image's agent-server SDK mismatches by @ak684 in #14883
• feat: PLTF-2968 allow per-deployment resolver macro via OH_RESOLVER_LABEL by @aivong-openhands in #14895
• feat: Support Slack attachments in agent context by @malhotra5 in #14934
• feat: add sub-agent task (TaskToolSet) visualizer to the chat UI by @VascoSch92 in #14928

Bug Fixes

• fix: bump agent-server to 1.27.1 for Gemini cache fix by @ak684 in #14751
• fix: bump agent-server to 1.28.0 by @ak684 in #14754
• fix(acp): sanitize agent-server error body in switch_acp_model proxy by @simonrosenberg in #14760
• fix: Pin duplicate checker action to extensions release by @enyst in #14771
• fix(deps): bump postcss to 8.5.15 to fix XSS (GHSA-qx2v-qp2m-jg93) by @aivong-openhands in #14770
• fix(frontend): start new LLM profiles on basic settings with blank fields by @ak684 in #14782
• fix: preserve LLM base URL on basic saves by @he-yufeng in #14776
• fix(enterprise): litellm_proxy/ → openhands/ on settings load by @smolpaws in #14766
• fix(frontend): treat managed openhands base URLs as provider defaults in view inference by @ak684 in #14783
• fix(frontend): only render the API key input once a provider is selected by @ak684 in #14787
• fix(frontend): hydrate the LLM profile edit form from the selected profile by @ak684 in #14789
• fix(frontend): accept typed emails without requiring Space in the invite input by @ak684 in #14790
• fix: redact credentials from PluginSpec.source during serialization by @simonrosenberg in #14795
• fix: reconcile and label per-(user,org) LiteLLM managed keys by @ak684 in #14803
• fix: default enterprise injector kinds in the image, not just the chart by @ak684 in #14811
• fix(frontend): avoid dirty language filter input by @mturac in #14812
• fix(acp): surface acp_server on cloud conversations so the model picker renders by @simonrosenberg in #14797
• fix: Add SaaS migration for sandbox pause state by @malhotra5 in #14829
• fix: Use final response endpoint for resolver callbacks by @malhotra5 in #14828
• fix: Ignore OpenHands bot GitHub resolver events by @malhotra5 in #14832
• fix: duplicate Slack no-repository selections by @malhotra5 in #14833
• fix: write trajectory exports as utf-8 by @wgu9 in #14810
• fix: use runtime /list API for sandbox concurrency count, not is_paused DB flag by @tofarr in #14834
• fix: renumber duplicate migration 122 → 123 (drop is_paused) by @tofarr in #14840
• fix: API key CORS header handling by @neubig in #14835
• fix: PLTF-2956 batch_get_sandboxes to gracefully handle runtime API failures by @aivong-openhands in #14853
• fix: Fix CVE-2026-48526: Update pyjwt to 2.13.0 by @mamoodi in #14854
• fix: PLTF-2956 log level from warning to error for automation service forwarding failures by @aivong-openhands in #14820
• fix: log error level for failed GitHub payload processing (#14814) by @GautamKumarOffical in #14863
• fix: Fix CVE-2026-49855: Update tornado to 6.5.7 by @mamoodi in #14856
• fix: decouple API-key (Bearer) auth from Keycloak offline sessions by @hieptl in #14867
• fix: Fix CVE-2026-54278: Update aiohttp to 3.14.1 by @mamoodi in #14871
• fix: PLTF-2956 Log 5xx responses at error level in AutomationEventService by @aivong-openhands in #14819
• fix: revert conversation limit enforcement from #14168 by @malhotra5 in #14877
• fix: Fix CVE-2026-12143: Update form-data to 4.0.6 by @mamoodi in #14875
• fix: Fix CVE-2026-53539: Update python-multipart to >=0.0.30 by @mamoodi in #14876
• fix: post Bitbucket DC comments as the bot account and background webhook handling by @ak684 in #14881
• fix(frontend): send on Enter for touchscreen laptops by @VascoSch92 in #14870
• fix: PLTF-2956 Tests for GitHub payload-processing failure log level by @aivong-openhands in #14818
• fix: clean up LLM Profile auth fields (dedupe variant section + exclude inert auth_type) by @ak684 in #14893
• fix: prevent conversation export overload by @neubig in #14899
• fix: Forgejo/Gitea clone failure when hosted under a subpath by @VascoSch92 in #14930
• fix: self-heal stale LiteLLM user on re-onboarding by @simonrosenberg in #14932
• fix: load global user & org skills without a selected repository by @hieptl in #14780
• fix: Fix GHSA-gj48-438w-jh9v: Update bleach to 6.4.0 by @mamoodi in #14945
• fix: Fix CVE-2026-45409: Update idna to 3.15 by @mamoodi in #14946
• fix: Fix GHSA-6v7p-g79w-8964: Update msgpack to 1.2.1 by @mamoodi in #14944
• fix: Fix CVE-2026-49458: Update dompurify to 3.4.6 by @mamoodi in #14872
• fix: Fix CVE-2026-44727: Update jupyter-server to 2.20.0 by @mamoodi in #14943
• fix: binaryornot Python 3 crash on binary reads by @enyst in #14518
• fix: Fix GHSA-jm82-fx9c-mx94: Update pypdf to >=6.13.3 by @mamoodi in #14959
• fix: Fix GHSA-cmwh-pvxp-8882: Update dompurify to 3.4.11 by @mamoodi in #14956
• fix: Fix CVE-2026-41691: Update i18next-http-backend to 3.0.5 by @mamoodi in #14955
• fix: Fix CVE-2026-54283: Update starlette to 1.3.1 by @mamoodi in #14874
• fix: Fix CVE-2026-8723: Update qs to 6.15.2 by @mamoodi in #14957

Documentation

• docs: Bring README.md over from Agent Canvas by @rbren in #14844
• docs(skills): fix typo in OpenHands docs URL in add_agent.md by @sanjibani in #14865
• docs: revise source code links in README.md by @enyst in #14869
• docs: fix broken README urls by @lexcodes-dev in #14907

Maintenance

• refactor(llm): clean up reverse-mapping OpenHands provider models by @enyst in #14725
• refactor(settings): delegate agent-settings merge to SDK apply_agent_settings_diff by @simonrosenberg in #14677
• build(deps): bump SDK packages to v1.28.0 by @all-hands-bot in #14753
• chore(deps): bump pyjwt from 2.12.1 to 2.13.0 by @dependabot[bot] in #14852
• chore: bump SDK and agent-server to 1.29.0 by @ak684 in #14889
• test: replace real sleeps in maintenance runner tests by @aivong-openhands in #13930
• refactor: extract billing test fixtures for PLTF-1269 by @aivong-openhands in #13998
• test: PLTF-1269 replace test_should_ naming with test_verb_noun_context convention by @aivong-openhands in #14015
• chore: purge dead acp_env field footprint (removed in SDK 1.29.0) by @simonrosenberg in #14921

Other Changes

• PLTF-2899: keep resume flow responsive during rate limits by @aivong-openhands in #14660
• fix: _configure_llm now preserves user LLM settings by @shanemort1982 in #14451
• Enable org LLM profiles in settings by @ak684 in #14715
• Revert ACP bootstrap-prompt resume + enable acp_isolate_data_dir on the cloud start path by @simonrosenberg in #14722
• PLTF-2899: Add async/await static analysis checks for enterprise code by @aivong-openhands in #14664
• fix: remove org_id from ownership assertion in save_app_conversation_info by @tofarr in #14727
• Harden workflow GitHub context handling by @enyst in #14537
• ci: add label-triggered OpenHands QA workflow by @enyst in #14730
• Bump SDK packages to v1.27.0 by @all-hands-bot in #14726
• perf: skip runtime API call in webhook auth via SandboxRecord by @tofarr in #14732
• fix(bitbucket-dc): resolve user via whoami so avatars load with OAuth tokens by @ak684 in #14734
• Release 1.8.0 by @mamoodi in #14743
• PLTF-2895: add enterprise migration integrity check by @aivong-openhands in #14689
• PLTF-2895: scope DB sessions tightly in poll_agent_servers to prevent idle-in-transaction by @aivong-openhands in #14637
• ci: adopt release-please for app and cloud releases by @jlav in #14718
• Fix OpenHands LLM key access for credited orgs by @enyst in #14724
• Use reusable issue duplicate checker action by @enyst in #14609
• fix: delete LiteLLM user on personal org reset by @fengjikui in #14700
• fix(frontend): skip Git-related API calls when no Git provider is configured by @saurya in #14338

New Contributors

• @he-yufeng made their first contribution in #14776
• @fengjikui made their first contribution in #14700
• @mturac made their first contribution in #14812
• @wgu9 made their first contribution in #14810
• @sanjibani made their first contribution in #14865
• @GautamKumarOffical made their first contribution in #14863
• @lexcodes-dev made their first contribution in #14907

Full Changelog: cloud-1.38.0...cloud-1.39.0

This PR was generated with Release Please. See documentation.