Security
This release fixes CVE-2026-49994 (GHSA-qj2j-wcg3-74jw) — a critical missing-authentication issue where the /api/* routes were reachable without a valid session even when web authentication was enabled, exposing device data and allowing settings/group mutations.
The web server now applies a default-deny authentication middleware: every route requires a valid session except the endpoints needed to log in. All users running with web auth enabled should upgrade.
Affected: all releases through v0.7.0. Fixed: v0.7.1.
Reported by Qihang via coordinated disclosure — thank you.