Documentation : https://docs.bunkerweb.io/1.6.12/
Docker tags :
- All-in-one :
bunkerity/bunkerweb-all-in-one:1.6.12orghcr.io/bunkerity/bunkerweb-all-in-one:1.6.12 - BunkerWeb :
bunkerity/bunkerweb:1.6.12orghcr.io/bunkerity/bunkerweb:1.6.12 - Scheduler :
bunkerity/bunkerweb-scheduler:1.6.12orghcr.io/bunkerity/bunkerweb-scheduler:1.6.12 - Autoconf :
bunkerity/bunkerweb-autoconf:1.6.12orghcr.io/bunkerity/bunkerweb-autoconf:1.6.12 - UI :
bunkerity/bunkerweb-ui:1.6.12orghcr.io/bunkerity/bunkerweb-ui:1.6.12 - API :
bunkerity/bunkerweb-api:1.6.12orghcr.io/bunkerity/bunkerweb-api:1.6.12
Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.12&filter=all&dist=
Changelog :
v1.6.12 - 2026/06/??
Security
-
nginx: updated NGINX to1.30.3to fix:CVE-2026-42055: heap buffer overflow inngx_http_proxy_v2_module/ngx_http_grpc_moduleCVE-2026-48142: heap buffer overread inngx_http_charset_module
-
api: hardened Biscuit token generation by binding Host header, client IP and username as typed terms, preventing signed Datalog fact injection. Added optionalAPI_ALLOWED_HOSTS. -
api:API_ACL_BOOTSTRAP_FILEnow validates supplied bcrypt hashes and rejects weak or malformed values. -
antibot: Cap.js challenge now uses a strict per-request CSP nonce and sendsCache-Control: no-store. -
antibot: fixed an open redirect in the post-challenge redirect flow by enforcing same-origin relative paths. -
ui: fixed session fixation on login by rotating the session ID on every authentication. -
ui: fixed open redirect via the post-loginnextparameter. -
ui: password changes now revoke the user’s other active sessions. -
ui: cache deletion routes now enforce Biscuit authorization. -
ui: improved hostname and ban-scope validation. -
ui: extended CSV/XLSX formula-injection protection to tab and carriage-return-prefixed cells. -
linux: uninstall hooks now preserve logs, configs, databases and backups unless purge is explicitly requested; upgrade backups moved to/var/backups/bunkerweb.
Features & Improvements
-
reverseproxy: added upstream HTTPS certificate verification with:REVERSE_PROXY_SSL_VERIFYREVERSE_PROXY_SSL_VERIFY_DEPTHREVERSE_PROXY_SSL_TRUSTED_CERTIFICATEREVERSE_PROXY_SSL_TRUSTED_CERTIFICATE_DATAREVERSE_PROXY_SSL_TRUSTED_CERTIFICATE_PRIORITY
-
antibot:ANTIBOT_IGNORE_URIcan now match full request URIs, including query strings. -
scheduler: addedSCHEDULER_MAX_WORKERSto cap the job-executor thread pool and reduce database pool pressure. -
ui:ADMIN_PASSWORDcan now accept pre-hashed bcrypt values. -
ui: logs viewer overhaul:- syntax highlighting for BunkerWeb, certbot and NGINX access logs
- severity filters with counts
- in-page search and error navigation
- live-tail with pause and new-line indicator
- download/copy actions
- optional local-time display
- collapsible multi-line entries
- improved mobile toolbar layout
-
ui: RAW config editor can now fold multi-line file settings, such as certificates and keys. -
mtls: addedMTLS_URL_nregex setting to enforce mTLS per path instead of site-wide. -
bunkernetUI: improved status reporting with Connected / API unreachable / Not registered states, masked instance ID and disk self-heal.
Bug Fixes
letsencrypt: fixed cache poisoning that could cause fleet-widecertbot AccountNotFound.letsencrypt: fixed scheduler/UI cache-row write race by sharing onefcntl.flock.letsencrypt: fixed Route53 auto-renewal when explicit AWS credentials are used.letsencrypt: fixed stale ACME account recovery whenLETS_ENCRYPT_CONCURRENT_REQUESTS=yes.letsencryptUI: deleting a certificate no longer fails when unrelated orphaned certificates are present.antibot: after solving a challenge, Chrome now returns to the originally requested URL instead of/.api: malformedAPI_ALLOWED_HOSTSwildcards no longer brick the API on every request.datastore: changingDATASTORE_LRU_SIZEno longer causes worker API HTTP 444 bootstrap deadlocks.database: fixed rc1 regression that reset UI/API-saved settings to defaults after scheduler restart.database: env vars no longer stay shadowed after a setting was touched in the UI/API.database: multisite env settings for DB-created services are no longer dropped as unknown globals.ssl:SSL_ECDH_CURVE=autono longer emitsX25519on FIPS OpenSSL.autoconf: service labels are rechecked when valid settings change, such as after PRO plugin or external plugin installation.logger: unreachableLOG_SYSLOG_ADDRESSno longer crash-loops scheduler and UI processes.installer: testing/dev install script is now idempotent and avoids duplicatingforce-bad-version.ci: Testing release install script now defaults to the testing channel.ui: Setup Wizard now shows a Log Out button when reached while already authenticated.ui: RAW mode no longer breaks multi-line file settings such as PEM certificates and keys.ui:/home,/reportsand/bansload much faster on Redis-backed setups.ui: static assets no longer trigger the full per-request lifecycle.ui: form-builder no longer creates phantommethod=uirows on no-op saves.ui/api: fixed possible login lockout with bcrypt5.0.0and passwords over 72 bytes.ui: fixed dark/light theme flicker and wrong-theme-on-load.ui: fixed plugin metrics crashes on Redis-backed setups.limit: fixed spurious HTTP/3429responses by separating HTTP/1, HTTP/2 and HTTP/3 connection limits.customcert: expired or soon-to-expire custom certificates are now accepted if they are valid X.509 certificates.
Linux & Packaging
- Fedora 43 and 44 now use NGINX
1.30.3. - Ubuntu Pro/ESM installs now use the upstream CrowdSec engine instead of the outdated ESM build.
- Added Ubuntu 26.04 Resolute Raccoon package target.
- Ubuntu 24.04 Noble moved to the
ubuntu-nobleidentifier. - Ubuntu 22.04 Jammy remains available as
ubuntu-jammy.
Dependencies
-
Updated
headers-more-nginx-moduleto0.40. -
Updated
lua-cjsonto2.1.0.18. -
Updated
lua-resty-signalto0.05. -
Updated
lua-resty-stringto0.19. -
Updated
lua-upstream-nginx-moduleto0.08. -
Updated
LuaJITto2.1-20260701. -
Updated
ModSecurityto3.0.16. -
Updated
lua-resty-opensslto1.8.0. -
Updated
coreruleset-v4to4.27.0. -
Updated UI dependencies:
- jQuery
4.0.0 - Bootstrap
5.3.8 - DataTables
2.3.8 - Ace editor
1.44.0 - ApexCharts.js
5.15.0 - DOMPurify
3.4.11 - i18next
26.3.1 - i18next-http-backend
4.0.0 - Perfect Scrollbar
1.5.6 - lottie-player
2.0.12 - canvas-confetti
1.9.4 - ipaddr.js
2.4.0
- jQuery
-
Updated build tooling:
- cssnano
8.0.2 - domino
2.1.7 - removed unused root
jquerydependency
- cssnano
Contributions
- Thanks to @cleverguns for the Filipino / Tagalog web UI translation.
- Thanks to @ray910408 for refreshing
src/depsnpm build-tool dependencies. - Thanks to @immanuwell for parsing the
DEBUGenvironment variable as a boolean in the Gunicorn configuration.