New features
- SFTPD: Added support for OpenPubkey SSH, enabling tighter integration between OpenID Connect and SFTP.
Bug fixes
- Enforced password validation rules also when applied through a group.
- Fixed an issue where JSON dumps containing command actions failed to load correctly at startup when loaded as initial data.
- Data Provider: Fixed lock handling issues during migrations that could affect MySQL when migrations are executed concurrently by multiple instances.
Security fixes
- Fixed a potential path traversal and permission bypass involving specially crafted paths. CVE-2026-30914.
- Fixed placeholder sanitization in group home directories and key prefixes. CVE-2026-30915.
Backward incompatible changes
- Unified path handling: Prior to this release, the backslash character (
\) was treated differently depending on the host operating system: on Linux, it was considered a standard character within a file or directory name, while on Windows, it acted as a path separator. We have now unified path handling across all platforms. Moving forward, both forward slashes (/) and backslashes (\) are strictly evaluated as path separators, independently of the underlying OS.