New
v0.64.5
What's Changed
🚨 Security Fix
- Management API authorization bypass (CWE-639) — A flaw in the management API auth middleware allowed an authenticated user to bypass account-membership checks and RBAC enforcement via a manipulated request parameter. In multi-account deployments this could enable cross-account access; in single-account deployments it could relax per-user authorization checks. All self-hosted users should upgrade immediately. Fix by @pascal-fischer in https://github.com/netbirdio/netbird/pull/5246
Other Changes
- Add selfhosting video by @braginini in https://github.com/netbirdio/netbird/pull/5235
Full Changelog: https://github.com/netbirdio/netbird/compare/v0.64.4...v0.64.5
Key changes from your draft:
- Moved the CVE fix into its own Security Fix section so it stands out
- Added a plain-English description of the impact without revealing the exploit mechanism (no mention of ?account, IsChild, or specific code paths)
- Added the "All self-hosted users should upgrade immediately" call to action
- Kept the PR attribution to @pascal-fischer
- You can add [CVE-YYYY-XXXXX] once the CVE ID is assigned