thingsboard/thingsboard v4.3.1.2

ThingsBoard 4.3.1.2 Release

on GitHub

What's Changed

Security

• Fixed CWE-770 in Jackson Core by @zzzeebra in #15368
• Fixed CVE-2026-34487, CVE-2026-34486, CVE-2026-34483 by @zzzeebra in #15417
• Fixed CVE-2025-70340: system alarm comments access control by @dashevchenko in #15377
• Fixed multiple CVEs: 2026-39364, 2026-39363, 2026-4800 by @vvlladd28 in #15466
• Fixed CVE-2026-40895 by @mtsymbarov-del in #15538
• Fixed CVE-2026-5588, CVE-2026-5598, CVE-2025-14813, CVE-2026-35554, CVE-2026-27314 by @zzzeebra in #15458
• Fixed CVE-2026-40975, CVE-2026-40973, CVE-2026-22740, CVE-2026-42198 by @zzzeebra in #15557
• Fixed SSRF vulnerability in AI model provider URLs by @zzzeebra in #15412
• Fixed SSRF and file access vulnerabilities in TBEL script sandbox by @zzzeebra in #15585
• Fixed CVE-2026-40682, CVE-2026-42027 by @zzzeebra in #15588
• Fixed CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587 by @ViacheslavKlimov in #15598
• Hardened remote JS executor script invocation by @smatvienko-tb in #15600
• Fixed CVE-2026-41284, CVE-2026-43512 by @ViacheslavKlimov in #15649

Core & Rule Engine

• Audit logging for tenant profile operations by @zzzeebra in #13076
• Added entity keys V2 endpoint with sample values by @dskarzh in #15044
• Performance and reliability improvements for Efento message processing by @dashevchenko in #15333
• Refactored APIs to meet OpenAPI standard by @dashevchenko and @ViacheslavKlimov in #15443
• Exposed HTTP response compression configuration params by @dashevchenko in #15520
• LZ4 compression support for Kafka by @volodymyr-babak in #15565
• Fixed WS sessions limit handling for public users by @dashevchenko in #15313
• Fixed REST API Call node blocking actor thread and semaphore permit leak by @smatvienko-tb in #15334
• Fixed entity filtering by boolean data key for EDQS by @dashevchenko in #15457
• Fixed alarm rule crash on duration source change by @zzzeebra in #15439
• Fixed MAX aggregation for mixed double and long telemetry values by @dashevchenko in #15560
• Added config property to control null ordering in dashboards by @dashevchenko in #15425

UI

• Improved default tenant home dashboard by @vvlladd28 in #15000
• Changed default "Add" button style in entity tables by @vvlladd28 in #14984
• Bumped Node.js version from 22.18.0 to 22.22.2 by @ViacheslavKlimov in #15330
• Enhanced localization: "save-to-gallery" translations by @deaflynx in #15339
• Exposed http-utils functions via WidgetContext.httpUtils by @vvlladd28 in #15395
• Added roundDown option to ShortNumberPipe by @vvlladd28 in #15393
• HTML container widget by @ikulikov in #15556
• Hidden "Add Telemetry" button for Entity view by @mtsymbarov-del in #15362
• Added '@angular/core/rxjs-interop' to modules map by @vvlladd28 in #15373
• Fixed Datasource determination for autocomplete patterns if datasource is empty by @mtsymbarov-del in #15340
• Fixed hint alignment for propagate alarm rule field by @mtsymbarov-del in #15360
• Fixed missing 'type' property in alarm rule condition on save by @vvlladd28 in #15392
• Fixed select options being clipped in widget settings form by @vvlladd28 in #15399
• Fixed translation for Asset and Device profile by @mtsymbarov-del in #15421
• Removed "Alarm rules" step from setting up device profile by @mtsymbarov-del in #15422
• Fixed display long texts in Alarm asignee panel by @mtsymbarov-del in #15408
• Fixed Alarm Assignee icon placement by @mtsymbarov-del in #15423
• Adjusted size of entity type select to fit error message by @mtsymbarov-del in #15427
• Fixed show/hide of custom header actions when using function to control visibility by @mtsymbarov-del in #15430
• Fixed not set pageSize to child nodes in Entities hierarchy widget by @mtsymbarov-del in #15433
• Fixed not process aggregation keys in Entities hierarchy widget by @mtsymbarov-del in #15434
• Fixed icon placement in Value stepper icon by @mtsymbarov-del in #15489
• Fixed display column panel hiding not selectable columns by @mtsymbarov-del in #15490
• Fixed map shape labels drifting from center after viewport resize by @mtsymbarov-del in #15531
• Map widget: fixed data aggregation for additional data keys and import/export widget JSON for polylines layer by @ChantsovaEkaterina in #15579
• Fixed CSV import not unescaping double quotes in unquoted fields by @ChantsovaEkaterina in #15581
• Removed unnecessary DomSanitizer bypass in photo camera input widget by @mtsymbarov-del in #15639

Transport

• Added automatic SSL/TLS certificate reload for transports without service restart by @AndriiLandiak in #15301
• Fixed app hanging on MQTT port conflict at startup by @zzzeebra in #15451
• SNMP: defer querying tasks until transport session is registered by @volodymyr-babak in #15346

Edge

• Added syncInProgress as edge attribute by @volodymyr-babak in #15111
• API key edge sync support by @volodymyr-babak in #15167

Full Changelog: v4.3.1.1...v4.3.1.2