🔒 Security
Backports the fix for a cross-tenant media metadata disclosure in the Curator picker search (introduced in v3.2.4 with multitenancy support). In multitenant panels, an authenticated user could retrieve other tenants' media metadata by typing in the picker search box. Single-tenant installs are not affected.
- Severity: Medium (CVSS 5.0 —
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) - CWE: CWE-284 (Improper Access Control)
Upgrade recommended for any multitenant deployment. Also fixed in 4.1.1 and 5.1.1. A GitHub Security Advisory and CVE will be linked here once published.
Full Changelog: v3.7.7...v3.7.8