github jeffcaldwellca/mkcertWeb v4.0.0
v4.0.0 — Security Release
on GitHub

4 hours ago

Release Notes — Version 4.0.0

Release Date: 2026-05-17
Type: Security Release (breaking)
Severity: High
Upgrade priority: Urgent

TL;DR — what you must do on upgrade

This is a security release that closes vulnerabilities exploitable from any
device on the same network the server is reachable from. There are also two
hard cleanup actions that prior versions made necessary:

  1. Rotate any credentials that were in .env on the machine that built or
    published older Docker images.     Until v4.0.0 there was no .dockerignore,
    so .env was copied into image layers and shipped to anyone who pulled
    the image. Anything in there should be assumed leaked. (Includes:
    AUTH_PASSWORD, SESSION_SECRET, SMTP_PASSWORD, OIDC_CLIENT_SECRET,
    NTFY_TOKEN, WEBHOOK_URL, etc.)
  2. Revoke and reissue any certificates chained from the baked-in CA that
    shipped in the public jeffcaldwellca/mkcertweb:<= 3.2.0 image. Every
    pulled image of older versions used the same rootCA-key.pem — anyone
    who pulled the image holds that key. After upgrading, generate a fresh
    per-container CA via the UI ("Generate Root CA" button) or
    POST /api/generate-ca, then re-install it into your trust stores.

If you cannot upgrade immediately and run with ENABLE_AUTH=false (the old
default), an attacker on the same LAN can rewrite credentials, repoint OIDC
to their IdP, exfiltrate stored SMTP credentials, and execute arbitrary
shell commands via the legacy /api/generate route. Either upgrade or
firewall the listening ports until you do.

Cleanup actions (don't skip)

  1. Rotate every secret that has ever been in .env on a machine that
    built/published older images. Anything in those env vars was embedded
    in image layers and pulled by every user of those tags. If you only ever
    ran the official image and never built your own, this doesn't apply.
  2. Re-issue any cert that chained from the baked-in CA. The private key
    of that CA is held by everyone who pulled :<= 3.2.0. After upgrade,
    the new per-container CA is yours alone.
  3. Tell any user who installed the old mkcert-rootCA.pem into their
    trust store to remove it     (and install the new one if they still use
    your service). The old CA is effectively a known-compromised root.
  4. Reset SESSION_SECRET. If you ever ran with the documented default
    value, an attacker who knows the value can forge sessions.

If you hit issues in any of these, please file an issue with the
v4.0.0 label.

Check out latest releases or
releases around jeffcaldwellca/mkcertWeb v4.0.0

Don't miss a new mkcertWeb release

NewReleases is sending notifications on new releases.

Get notifications