Added
- Package signing and update authenticity hardening for supported Linux packages.
Improved
- App hardening from the Fable 5 audit, including WireGuard key validation, Control D API key log redaction, IPC exposure hardening, safer logging, installer argument redaction, and package/dependency handling fixes.
- Windows helper IPC parameter validation to reduce local IPC attack surface.
- Linux helper IPC/API hardening after EGL gid-check bypass review.
- Windows IKEv2 connector stability to mitigate possible crashes.
- macOS builds against Xcode 26.5 and enabled ARC for client-common Objective-C++ code.
- Proxy Gateway privacy by no longer logging blocked destinations for HTTP and SOCKS gateway requests.
- IP Stack preference wording to clarify it applies to WireGuard only.
- Preferences title casing consistency.
- Sign Up screen helper text styling under the Password and Email fields.
- JSON/INI import consistency for proxy sharing and MAC spoofing settings.
- Debug logs by removing false positives that could mislead automated log analysis on Windows.
- Russian and Ukrainian translations in the desktop app, installer, and CLI from GitHub user
WkdXeqtr. - Belarusian translations in the desktop app, installer, and CLI from GitHub user
dubovy-achvelak.
Fixed
- DLL planting vulnerability in the Windows bootstrapper and uninstaller.
- Windows installer/updater staging TOCTOU allowing the privileged helper to copy from a different source path than the one it validated.
- Local privilege escalation security vulnerability from app retaining SETGID capability after group switch on Linux.
- Possible local privilege escalation chain involving external-link opening and OpenVPN directive validation bypass.
- OpenVPN custom config filtering to handle embedded NULL/control characters consistently and reject unsafe directives.
- OpenVPN custom config parsing to prevent commented-out
route-nopull/route-noexectext from disabling automatic firewall handling. - Malformed OpenVPN inline tags bypassing custom config directive filtering.
- AmneziaWG custom WireGuard I-values allowing newline/config injection in imported custom configs.
- Custom OpenVPN device names that could bypass Linux DNS leak protection by using wildcard-style interface names.
- Split tunneling service startup failures not showing the expected user-facing warning prompt on Windows.
- A crash when clicking the menu bar icon on affected macOS 27 beta builds.
- DNS leak protection allowing pre-VPN OS DNS resolvers when DNS traffic egressed over the VPN interface on Linux.
- Always On+ firewall feature eventually showing the Ignore SSL errors prompt during blocked or delayed connectivity.
- Launch on startup mechanism may fail to apply during a reboot.
- Control D via API Key connections failing when an IPv6 bootstrap IP from Custom DNS was retained without native IPv6.
- Ignore SSL Errors runtime bypass handling to reset wsnet failovers before retrying failed requests.
- IP pinning fallback when an Advanced Parameters remote IP does not match the selected location.
- Memory leak when handling CLI IPC commands.
- Windows installer progress handling near completion when uninstalling previous components and launching the app.
- Periodic reconnects on Windows IKEv2 connections caused by transient OS status checks.
- Logout/session deletion leaving the Windscribe IKEv2 VPN profile in macOS System Settings.
- Linux address selection so IPv6-capable VPN connections do not incorrectly prefer IPv4 via Windscribe gai.conf handling.
- deb/rpm packages installing scripts or helper files with world-writable permissions.
- Data-remaining counter showing 0 bytes after an expired/blocked account state and newly logged into account has remaining data.
- Networks marked Unsecured being treated as Secured on launch, which could incorrectly trigger auto-connect.
- Imported dashed MAC spoof values showing incorrectly and reporting MAC spoofing failure even though the spoof was applied.
- IKEv2 inclusive split tunneling leaving a low-metric default tunnel route active, causing non-included traffic to route through the VPN on Windows.
- Linux IPv6 split-tunnel routes being added without the required interface name.
- Linux IPv6 DNS leak protection missing ip6tables rules for IPv6 DNS resolvers.
- Linux split-tunneling process monitor skipping proc events after the first netlink read.
- Linux split-tunneling setup failures being reported as successful.
- Persistent Ignore SSL Errors preference behavior so TLS validation bypass is runtime-only and does not survive app restart.
- Connected DNS Custom 0.0.0.0 breaking local ctrld resolver behavior while connected.
- Split tunneling disabled message handling on macOS.
Updated
- Updated wsnet to 1.5.20.
Removed
- The Contact Humans preference from the help UI.
GUI Installer Hashes
| Installer | SHA-256 hash |
|---|---|
| Windows amd64 | 3430c28f606591b8f13c9d4d1a960b844ae217b0b6c5ebeb50bd764a3e88a33b |
| Windows arm64 | 065544d2f821aa5730db43fbdc3a71b01b18a41872bf038af6977a82ea5c7c5c |
| macOS universal | 393a9c0650a66b4fea87716f9a47369a20cb70681cb2cc6ee0cef157f693d116 |
| Ubuntu amd64 | 9b22ad0369e7539d309c21a2535f46aa7d805d9e2ad6250dbbc376de87c333ee |
| Ubuntu arm64 | 9f6bf75d4579c2e9193235b18bc2d603426b08558df31d2a4eb47fc92335d42c |
| Fedora amd64 | f2e5299902a991067dc168120e5596739ef32e7b9c5c88c7c6251654bde2a864 |
| Fedora arm64 | cc621bd7fcf286b3fc8da34395c8bbfacb3cca7df145d2dc10d543d868d14fef |
| OpenSUSE amd64 | 4b31e4b52009a9eb6d15fc37bfb69606f815835b46aff0d94c317108f0dc5967 |
| Arch Linux amd64 | c7a1c9a140807298444bb352ac635f349f535de9b13ae0cef33954c0cb29c30f |
CLI Installer Hashes
| Installer | SHA-256 hash |
|---|---|
| Ubuntu CLI amd64 | cac917bf60b6f7fe9f9e6ac09e970ba0ffbbb52ac0d4d4afe259ae78727b0e11 |
| Ubuntu CLI arm64 | 5775fd86f67d08e926a31853fb74fd1401932a8a6af88f006bbac0c3efbde7f9 |
| Fedora CLI amd64 | 9ae35e6c7877f0fd4203c3c5826536f403a729bcb90a496e8a252753de929023 |
| Fedora CLI arm64 | f0522b756efd188a29b7627fb8b7594e1bfc5b13d95df54f84bcb287453525e3 |
| OpenSUSE CLI amd64 | 44a2462b7c117bb2c221e1119ca41a375fde0f5ec574b67ac13f82d1b2cd0edf |
| Arch Linux CLI amd64 | b4a338c525032dab9fa62f9fb2f282e967533c182b91467d3f13d40d7be0d658 |