Agent Zero Release Notes

Security Fixes

Fix SSRF in document_query remote fetching (CVE-2026-4308) — Remote document fetching now validates URLs before any network request, blocking localhost and non-public IP targets, validating redirect hops, disabling implicit proxy trust, and enforcing a strict size cap. Third-party loaders no longer receive attacker-controlled URLs directly; content is prefetched and parsed from trusted local bytes. A follow-up fix restores compatibility with public sites that rejected the changed request fingerprint.
Block path traversal in download_work_dir_file (CVE-2026-4307) — Download requests whose resolved path escapes the runtime base directory are now rejected before any file access, preventing arbitrary file reads.

A0 CLI Connector plugin — New built-in plugin lets the host-side A0 CLI connect to Agent Zero over authenticated HTTP and WebSocket, with capability discovery, chat/context lifecycle endpoints, log streaming, and remote editing, code execution, and file-tree bridging.
a0-setup-cli built-in skill — Guides users through host-side A0 connector setup with installer-first guidance, container guardrails, and fallback install paths. Updated with Flare Tunnel connection guidance.
Restore lexical trigger-based skill matching — Lightweight trigger-word scoring is back in search_skills(), re-enabling skills_tool:search and lexical relevant-skill recall for the current user message without requiring vector-DB skill recall.
Native chat controls for messaging integrations — Telegram, WhatsApp, and email threads now support shared transport-level commands (/project, /config, /send, /queue send) for managing the active chat directly from within each integration.
Browser Agent model preset selection — The Browser Agent can now use a dedicated _model_config preset for browser runs instead of always using the main model, a highly requested feature.

Redesigned messaging integration settings — Email, Telegram, and WhatsApp settings panels have been rebuilt with clearer step-based setup flows, guided first-run experiences, provider presets for email, safer access warnings, richer test feedback, and responsive layouts. Advanced email options (server, routing, scheduling) are moved behind an Advanced section.
Componentized model config — The model configuration UI has been refactored into components with the store split into mixins and unified API key management.

Updated plugin skill guidance to formalize install(), uninstall(), and preupdate() requirements when dependencies are involved.
Added contributor sharing and fork safety documentation.