Caution
We recommend skipping direct to v0.26.1, this release has an issue with attachments for docker containers.
Note
As always, we highly recommend making a backup of your databases and files before upgrading! But especially this one for it's major architecture changes.
Warning
This release requires an additional environment variable or CLI parameter to be set. HBOX_AUTH_API_KEY_PEPPER or --auth-api-key-pepper must be set to at least 32 characters random secret.
Biggest Release Yet!
This is by far the biggest, most comprehensive release of Homebox since we took over. Below are the biggest, most important changes. Please read through the warnings and notes carefully, as they contain important upgrade information.
Entity Merge
This release officially implements the entity merge, one of the most comprehensive and complex changes to the Homebox backend ever. Items and locations now share a single underlying "entity" structure, allowing them to share custom fields, attachments, entity types, and templates — and preparing Homebox to take on the features and capabilities people have been asking for.
Warning
The entity merge introduces significant database re-work. You should always make a backup before updating, but a backup is especially important in this case.
Important
If you are an integration/software developer, the /v1/items* and /v1/locations* endpoints have been entirely replaced by /v1/entities*. Please review our entity merge documentation for the API changes.
API Keys
Homebox can now generate static API Keys for developers/integrations. Each key takes on the access level of the user who created it. All Homebox keys are prefixed with hb_ to help prevent secrets from being accidentally committed to source code repositories.
Password Resets
Homebox now supports password resets. If the instance admin configures the SMTP environment variables, users can reset their password from the front-end quickly and easily. For those not wanting to set up SMTP, you can run homebox reset-password --email=<email>, which outputs a random new password for that user (which they can then change from the UI).
Better Export/Import (Experimental)
Thanks to the entity merge, you can now export an entire collection's inventory (including attachments, tags, entities, etc.) into a single ZIP file. That ZIP can then be imported into a different Homebox instance (the receiving collection must be "empty"). A recurring background export task is included as well.
"AR" Scanner
Added more as a fun experiment, but we think some people will find it genuinely useful. Switch to "AR" mode and point your camera at a Homebox QR code — a hovering box appears with basic information about the entity, and if it has children, a list of those child entities.
Other Improvements
- External URL attachments — attach HTTP(S) links to entities via drag-and-drop; rendered as direct hyperlinks and stored as DB records (no blob storage used).
- Convert entity type — convert an item into a location (or vice versa) directly from the edit view.
- Entity types UI — new entity-types management page with improved UI and page titles.
- Remember selected camera in the scanner.
- Nix flake for reproducible dev/build environments.
- Config redaction & stronger security protections, stronger API-key pepper hashing, group/permission fixes, and extensive new tracing.
- Numerous bug fixes: CSV import/export (parent relationships, location export), dark-theme styling, legacy Windows attachment paths, WebSocket auth/retry, DNS64 support, password-manager support, Swagger BaseURL, and more.
Security Fixes:
The following security advisories have been fixed:
- GHSA-r9pf-rg22-655m (pending CVE assignment)
- CVE-2026-48826
- CVE-2026-48974
- CVE-2026-48975
- CVE-2026-48976
What's Changed
- chore(deps): bump dompurify from 3.3.3 to 3.4.0 in /frontend in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1434
- feat(frontend): remember previously selected camera by @lpiepiora in #1425
- feat: merge items and locations into "entities" by @tankerkiller125 in #1414
- feat: "ar" scanner functionality by @tankerkiller125 in #1421
- fix: correct apostrophe placement in default collection name on user registration by @Copilot in #1462
- Fix #1398 by setting Swagger BaseURL to dynamic variable by @katosdev in #1459
- Fix public docs to remove github URL by @katosdev in #1464
- Update baseURL by @katosdev in #1465
- fix: #437 hopefully by @tankerkiller125 in #1455
- fix: improve password manager support for auth forms by @martinfrancois in #1477
- feat: add support for external URL attachments by @szaiser in #1481
- fix: location create modal shows 'Item Photo' instead of 'Location Photo' (closes #1456) by @bskthefirst in #1490
- fix: handle numeric list_price in upcitemdb response by @aaaaaadrian in #1432
- feat: password reset by @tankerkiller125 in #1488
- feat: export/import capability by @tankerkiller125 in #1472
- fix: preserve CSV item parent relationships by @saquibreja7-hash in #1517
- i18n(ko-KR): translate sidebar, quick stats, collection menu by @wonieby in #1519
- Fixes bug where location is exported incorrectly for csv export by @bmyoungquist in #1393
- fix: dark theme styling issues by @IceeAn in #1418
- fix: lack of page title for entity types page by @tonyaellie in #1540
- Add nix flake by @6543 in #1119
- fix: improve entity type UI by @tonyaellie in #1544
- fix: expose ability to change type to ui by @tonyaellie in #1546
New Contributors
- @lpiepiora made their first contribution in #1425
- @martinfrancois made their first contribution in #1477
- @szaiser made their first contribution in #1481
- @bskthefirst made their first contribution in #1490
- @aaaaaadrian made their first contribution in #1432
- @saquibreja7-hash made their first contribution in #1517
- @wonieby made their first contribution in #1519
- @6543 made their first contribution in #1119
Full Changelog: v0.25.0...v0.26.0