github UNITRONIX/BetterDesk v3.1.3-dev
BetterDesk 3.1.3-dev — Security hardening
on GitHub

pre-release4 hours ago

Development channel release

Branch: dev
Apply via: Settings → Updates (set update channel to Development) or betterdesk.sh on dev branch.

This pre-release bundles security fixes and dependency updates. Server and panel changes ship through the built-in panel updater; desktop Tauri clients require a separate rebuild to pick up Rust dependency bumps.

Security fixes

CVE-2026-50575 / GHSA-3v82-3gf8-fxx8 — device replay after delete (High)

  • WebSocket signal registration now rejects soft-deleted peer IDs (new registration and heartbeat), matching the existing UDP/TCP path.
  • UpdatePeerStatus no longer marks soft-deleted rows ONLINE.
  • Restoration remains explicit via POST /api/peers/{id}/restore or the panel Restore action only.

Dependency updates (Dependabot)

Package Version CVE / advisory
go-ntlmssp 0.1.1 CVE-2026-32952
golang.org/x/image 0.38.0 CVE-2026-33809
pgx/v5 5.9.2 GHSA-j88v-2chj-qfwx
openssl (Rust) 0.10.80 GHSA-xp3w-r5p5-63rr, GHSA-phqj-4mhp-q6mq
tauri 2.11.2 GHSA-7gmj-67g7-phm9

CodeQL / hardening

  • OIDC discovery URLs validated before HTTP fetch (blocks metadata / link-local SSRF).
  • Language editor routes confined to web-nodejs/lang/.
  • Server file browser restricted to allowed directory roots (BETTERDESK_FILE_ALLOWED_ROOTS env for extra paths).
  • Network monitor TCP checks resolve DNS before connecting.
  • Address-book tag merge capped (allocation overflow guard).
  • Panel updater uses execFileSync argv arrays instead of shell strings.
  • Auth logs no longer echo usernames on sensitive migration paths.
  • Rate limiting on /api/logs/recent and /api/database/stats.

How to verify (CVE-2026-50575)

  1. Register a device in managed enrollment mode.
  2. Delete it in the panel (without restore).
  3. Attempt re-registration from the client — server log should show Rejected registration of deleted peer.
  4. Use Restore in the panel — device can register again.

Operator notes

  • File browser: if Server Management cannot access custom paths, add BETTERDESK_FILE_ALLOWED_ROOTS=/your/path to the panel .env.
  • Desktop clients: openssl / tauri bumps affect betterdesk-mgmt and betterdesk-agent-client only after rebuilding those binaries.
  • Remaining alerts: glib (transitive GTK) and some dev-script CodeQL findings are tracked for a follow-up patch.

Full changelog: CHANGELOG.md#313--2026-06-09

Check out latest releases or
releases around UNITRONIX/BetterDesk v3.1.3-dev

Don't miss a new BetterDesk release

NewReleases is sending notifications on new releases.

Get notifications