This release includes an important security fix, so upgrading is strongly recommended.
This is a security release to address CVE-2026-22689 which allowed unauthenticated browser access to the websocket which provides the real-time web UI updates when new messages are received. A huge thanks to the security researcher (@omarkurt) who reported this issue responsibly.
Security
- Prevent Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data CVE-2026-22689
Feature
- Allow default relay addresses to be set when releasing message (#594)
Chore
- Remove webkit warnings about missing template / render functions
- Avoid empty URL query parameter when returning to inbox from message view