Documentation : https://docs.bunkerweb.io/1.6.13/
Docker tags :
- All-in-one :
bunkerity/bunkerweb-all-in-one:1.6.13orghcr.io/bunkerity/bunkerweb-all-in-one:1.6.13 - BunkerWeb :
bunkerity/bunkerweb:1.6.13orghcr.io/bunkerity/bunkerweb:1.6.13 - Scheduler :
bunkerity/bunkerweb-scheduler:1.6.13orghcr.io/bunkerity/bunkerweb-scheduler:1.6.13 - Autoconf :
bunkerity/bunkerweb-autoconf:1.6.13orghcr.io/bunkerity/bunkerweb-autoconf:1.6.13 - UI :
bunkerity/bunkerweb-ui:1.6.13orghcr.io/bunkerity/bunkerweb-ui:1.6.13 - API :
bunkerity/bunkerweb-api:1.6.13orghcr.io/bunkerity/bunkerweb-api:1.6.13
Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.13&filter=all&dist=
Changelog :
Security
-
[SECURITY]
nginx: update NGINX to 1.30.4, except on Fedora, which remains on 1.30.3 until the new version is available in its repositories. This fixes:- CVE-2026-42533, a heap buffer overflow in regex matching used by the
mapdirective. - CVE-2026-60005, an uninitialized memory access in the
slicedirective with background cache updates, which could disclose worker-process memory or crash a worker. - CVE-2026-56434, a use-after-free in
ngx_http_ssi_filter_module.
- CVE-2026-42533, a heap buffer overflow in regex matching used by the
-
[SECURITY]
blacklist,greylist,antibot: forward-confirm reverse DNS results before honoring anIGNORE_RDNSorGREYLIST_RDNSsuffix match. An attacker can no longer bypass blocking, gain greylist access, or skip an antibot challenge by configuring a PTR record that ends with a trusted suffix such as.googlebot.comwithout controlling that domain. (Fixes GHSA-q54j-5484-pvjm) Thanks to @kule500 for the report. -
[SECURITY]
letsencrypt: validate ACME challenge tokens against the base64url character set. This prevents../payloads from writing, overwriting, or deleting files outside the challenge directory as thenginxuser through the internal API. (Fixes GHSA-79fm-4xj6-pp5g) Thanks to @xyptonize and @kule500 for the report. -
[SECURITY]
instances: validate registered destinations as IPv4 or IPv6 literals, or as IDNA-normalized DNS hostnames, at every input and outbound-client boundary. Trailing-dot FQDNs remain supported, while URL user information, paths, queries, fragments, malformed ports, and non-HTTP(S) schemes are rejected with a validation error instead of causing an internal server error. (Refs GHSA-rwch-jhxx-cx5f) Thanks to @adilkhan7546 for the report. -
[SECURITY]
ui: enforce TOTP verification using the exact validation endpoint instead of matching any path containing/totp. This prevents password-only sessions from accessing/profile/totp-refreshand rotating recovery codes before completing the second authentication factor. (Fixes GHSA-j63f-j59c-q626) Thanks to @de3erve-hunter for the report. -
[SECURITY]
api: document that fine-grained permissions allowing writes to configurations, services, plugins, or global settings are equivalent to administrator access. Their payloads are rendered into raw NGINX or OpenResty Lua configuration and can therefore execute code as the BunkerWeb process user. A warning is now logged when one of these permissions is granted to a non-administrator API user. (Refs GHSA-5xh4-hfr2-jm9m, GHSA-4xv6-4mw6-34m7, GHSA-cc8g-89qq-j9vm)
Features
-
[FEATURE]
limit: addUSE_LIMIT_REQ_GLOBALandLIMIT_REQ_GLOBAL_RATEto cap the total aggregate request rate for a service across all clients and URLs. The global limit is evaluated before the existing per-IP and per-URL limits, allowing origin or backend capacity to be protected independently. Disabled by default. -
[FEATURE]
country: addCOUNTRY_IGNORE_URIto skip country whitelist and blacklist checks for URIs matching a list of PCRE expressions. Matching is performed against both the request path and the complete request URI, including its query string, consistently withANTIBOT_IGNORE_URI. -
[FEATURE]
antibot: addANTIBOT_SUCCESS_URIto redirect clients to a fixed URI after they successfully complete a challenge. Leaving the setting empty preserves the existing behavior and returns clients to the originally requested page. (Fixes #3704)
Bug fixes
-
[BUGFIX]
authbasic: fix an error occurring after every successful basic-auth login. The plugin attempted to write to the undeclared$auth_uservariable and to the read-only$remote_usercore variable, resulting invariable "remote_user" not changeable. Both unnecessary writes have been removed. NGINX continues to populate$remote_userautomatically from the authenticated request. -
[BUGFIX]
ui,api: delete custom configurations using their exact keys. Removing the final UI-managed or API-managed configuration no longer requires replacing every configuration belonging to the same method, avoiding races with concurrent updates. -
[BUGFIX]
headers: makeKEEP_UPSTREAM_HEADERSrecognize and preserveContent-Security-Policy-Report-Only. Upstream report-only policies are now kept by default and are no longer silently overwritten whenCONTENT_SECURITY_POLICY_REPORT_ONLY=yes.