Fixed
- CVE-2026-26016
- GHSA-hr7j-63v7-vj7g
- Fixes bug where presigned URLs would fail to generate if the environment variable was parsed as a string and not an integer.
- Fixes issue where certain input values would cause the activity log screen to stop rendering properly due to improper element encoding.
- Fixes improper display of unicode characters in console output.
- Fixes page number not resetting when toggling between "Show My Servers" and "Show All Servers" on the dashboard.
Changed
- SFTP sessions are now revoked on nodes when a user changes their password or their account is deleted.
- Remote node access tokens are now scoped to only allow access to servers that belong to the same node. Previously a node could access information and control the installation status for any server in the system.
- The default rate limit for the client API was bumped from
128to256requests per minute.
Added
- HTTP responses now include default security headers if not otherwise set.
- Adds modal popup when running a Hytale server that requires additional auth.
- Adds support for administrators to view any application API key that has been created, regardless of the owning account.