[0.16.3] - 2026-04-30

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

• Replaced STALWART_HTTPS_PORT with STALWART_PUBLIC_URL.
• App Passwords now begin with app_ instead of app to avoid issues with some clients that do not support spaces in passwords.

Fixed

• Directory:
  • Invalidate caches when group memberships change on an external directory.
  • OIDC: errors instead of "failed to decode token".
  • OIDC: Recovery admin access.
  • User impersonation.
• Tasks:
  • Delete locked tasks.
  • Queue pagination by anchor.
• Log viewer: All events show as INFO.
• Registry: Allow changing object variants.
• Node id renewal.
• DNS Updater: Fix Route53 serialization format.

Check binary attestation here

Fixes and improvements

General

• prevent code injection in case of MTX_QUERY in hooks (#5707) When MTX_QUERY is used explicitly in hooks, for instance "curl http://something/?$MTX_QUERY", it can be used to inject arbitrary commands. MTX_QUERY is now url-encoded to prevent any abuse regardless of the configuration.
• use temporary redirects instead of permanent redirects (#5710) this prevents unwanted caching.

HLS

• prevent open redirect attacks (#5708)
• support reading and writing KLV (#5604)
• add hlsCDNSecret (#5716) this allows to serve HLS streams behind a CDN in a simplified way, compatible with the new HLS session system.
• add public attribute to cache-control header (bluenviron/gohlslib#349)
• allow caching non-low-latency playlists (bluenviron/gohlslib#350)

WebRTC

• prevent open redirect attacks (#5708)

RPI Camera

• Merge request->controls instead of overwriting (bluenviron/mediamtx-rpicamera#97) libcamera 0.7.0 is more strict about changing controls; assignment is no longer allowed since raspberrypi/libcamera@310cd8b Instead, we use the merge call with overwrite.

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

New major features

HLS

• track sessions (#962) (#5683) sessions are now tracked through cookies or query parameters. This provides the ability to inspect sessions through logs, metrics and API, allows more precise tracking of outbound bytes, decreases load on external HTTP authentication URLs since they are now called once per session and not once per request.
• support serving streams with a CDN (#5696)

Fixes and improvements

General

• improve listener labels (#5635) add a label after every "listener opened on :XXX" message that mentions protocols of every listener.
• dump unencrypted TLS sessions (#5624) when dumpPackets is true, embed TLS master keys into the dump, in a format which is natively compatible with Wireshark.
• use "token" as query parameter key to pass tokens (#5647) the legacy "jwt" query parameter key is still supported.
• deprecate authJWTInHTTPQuery and disable JWTs in query parameters (#5648) This fixes a long standing security flaw. Even though it's a breaking change, few users should be impacted since this feature has been discouraged for some time.
• expose token passed as query parameter to HTTP authentication too (#5649) this allows to parse tokens coming from RTSP and RTMP without additional effort.
• playback: return errors as JSON (#5656) this is aligned with all other HTTP-based services.
• prevent out-of-memory errors (#5674) impose a maximum size on body of incoming HTTP requests and responses.
• metrics: improve performance (#5663) use string.Builder instead of string concatenation
• metrics: add labels to the output (#5687) group metrics under visible, distinct labels.
• metrics: fix filtering by type=rtmp_conns and type=rtmps_conns (#5689)
• metrics: add readerType attribute to the path_readers metric (#5690) this allows to filter path readers by type.
• metrics: use an enum for parsing metrics type (#5692)
• metrics: fix race condition when reloading configuration (#5693)
• docs: add scaling page (#5695)

API

• sort path readers (#5691)

RTSP

• client: fix RTSP-over-HTTP tunnel request target (bluenviron/gortsplib#1041)
• client: support Axis SRTP variant (bluenviron/gortsplib#1033)
• improve SDP parser compatibility with malformed connection information (bluenviron/gortsplib#1025)
• support parsing responses with no status message (bluenviron/gortsplib#1043) (bluenviron/gortsplib#1050)
• client: don't block RTSP-over-HTTP tunnel startup on POST response (bluenviron/gortsplib#1047)

HLS

• return JSON with error message in case path conf is not available (#5655) this behavior is aligned with WebRTC one.
• improve muxer performance (#5660) use a mutex instead of a channel to get current instance.
• fix running linter when there are unstaged git changes (bluenviron/gohlslib#336)
• client: use redirected URL when reloading playlist (bluenviron/gohlslib#340) this allows to store and use tokens and signed URLs.
• client: support reading KLV (bluenviron/gohlslib#337)
• prevent out-of-memory errors (bluenviron/gohlslib#343)
• muxer: generate init segment once (bluenviron/gohlslib#344) Previously, the init segment was regenerated in case of codec parameter changes, but changing the init segment has been proved to cause video and audio discontinuities on iOS. Now the init file contains starting parameters only and never changes during the stream lifetime.
• client: increase size limit of segments and parts (bluenviron/gohlslib#345)
• return a custom error when body size limit is exceeded (bluenviron/gohlslib#346)
• muxer: store non-low-latency playlists and init files on disk (bluenviron/gohlslib#348)

Dependencies

• code.cloudfoundry.org/bytefmt updated from v0.67.0 to v0.69.0
• github.com/alecthomas/kong updated from v1.14.0 to v1.15.0
• github.com/bluenviron/gohlslib/v2 updated from v2.2.9 to v2.3.0
• github.com/bluenviron/gortsplib/v5 updated from v5.5.1 to v5.5.2
• github.com/go-git/go-git/v5 updated from v5.17.2 to v5.18.0
• github.com/matthewhartstonge/argon2 updated from v1.4.6 to v1.5.2
• github.com/pion/ice/v4 updated from v4.2.2 to v4.2.5
• golang.org/x/crypto updated from v0.49.0 to v0.50.0
• golang.org/x/sys updated from v0.42.0 to v0.43.0
• golang.org/x/term updated from v0.41.0 to v0.42.0
• github.com/pion/stun/v3 updated from v3.1.1 to v3.1.2
• github.com/pion/turn/v4 removed
• golang.org/x/net updated from v0.52.0 to v0.53.0
• golang.org/x/text updated from v0.35.0 to v0.36.0
• golang.org/x/time updated from v0.12.0 to v0.14.0
• github.com/pion/turn/v5 v5.0.3 added
• hls.js updated from v1.6.15 to v1.6.16

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

Fixes and improvements

General

• prevent directory traversal attacks (#5602) Path names are used as part of paths in several components: in the recorder, in the playback server and in every HTTP-based component (WebRTC, HLS, API). Special characters that allow to escape from the intended directory are now forbidden in order to prevent directory traversal attacks.

RTSP

• client: fill server name indication (SNI) of TLS connections (bluenviron/gortsplib#1038)

RTMP

• implement AbortMessage (#4673) (bluenviron/gortmplib#59)
• client: fill server name indication (SNI) of TLS connections (bluenviron/gortmplib#63)

WebRTC

• fix random absolute timestamps with Opus, G711 and LPCM (#5597) When rewriting audio RTP timestamps in WebRTC egress, NTP was derived using regenerated packet timestamps minus the incoming RTP base timestamp. That mixed timestamp domains and could shift absolute time by an arbitrary offset while still exposing mapping as available. Fix by using a consistent outgoing RTP domain in rewritten audio paths
• strip TWCC extension of incoming RTP packets (#5146) (#5605) The TWCC extension is used as part of the WebRTC congestion control algorithm placed between the publisher and the server. If this extension is routed untouched from the server to readers, it messes with the congestion control algorithm present between the server and each reader. Remove it.

RPI Camera

• restore Docker compatibility with armv6 devices (#5590) (#5595)
• restore compatibility with armv6 devices (#5590) (bluenviron/mediamtx-rpicamera#95)

Dependencies

• github.com/bluenviron/gortmplib updated from v0.3.0 to v0.3.1
• github.com/bluenviron/gortsplib/v5 updated from v5.5.0 to v5.5.1
• github.com/gin-contrib/pprof updated from v1.5.3 to v1.5.4
• github.com/go-git/go-git/v5 updated from v5.17.0 to v5.17.2
• github.com/pion/ice/v4 updated from v4.2.1 to v4.2.2
• github.com/pion/webrtc/v4 updated from v4.2.9 to v4.2.11
• github.com/pion/sctp updated from v1.9.2 to v1.9.4
• github.com/bluenviron/mediamtx-rpicamera updated from v2.5.4 to v2.5.5

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

New major features

WebRTC

• support publishing multiple video/audio renditions (#5573) this allows to receive multiple video tracks from OBS Studio with the new WebRTC Simulcast feature introduced in v32.1.0.

API

• provide track details (#5307) (#5333) (#1726) (#5585)
• add user field to RTSP, RTMP, SRT, WebRTC conns and sessions (https://github.com/bluenviron/mediamtx/issues/5104) (#5565)
• add RTSP reported lost packets (#5198) (#5579) The new outboundRtpPacketsReportedLost property allows to track RTP packets that have been reported lost by readers. Furthermore, stats now have a "inbound" or "outbound" prefix to improve readability.
• rename WebRTC stats to match RTSP ones (#5581)
• add new stats (#5582) - RTSPSession.outboundRTPPacketsDiscarded - Path.inboundFramesInError - SRTConn.outboundFramesDiscarded - WebRTCSession.outboundFramesDiscarded - RTMPConn.outboundFramesDiscarded - HLSMuxer.outboundFramesDiscarded

Fixes and improvements

General

• avoid buffering HTTP response body in loggerWriter (#5552) loggerWriter was shadow-copying every response byte into a bytes.Buffer to report the body size, causing the entire response to be accumulated in memory for the lifetime of each request. Replace the buffer with a plain int counter since dump() only ever reported the byte count anyway.
• optionally validate JWT iss and aud claims (#5569)
• metrics: add two missing SRT stats (#5580)

API

• add deprecated fields to the OpenAPI definition (#5575)
• add missing enums and move all enums in dedicated components (#5576)

RTSP

• fix rtsps scheme not being used in requests (#5236) (#5544)
• support unwrapping MPEG-TS tracks (#5476) this allows to use MPEG-TS tracks with other protocols and with the recording system
• client: fix support for hostnames in source and dest headers (bluenviron/gortsplib#1009) (#5304) (bluenviron/gortsplib#1014)
• allocate a rtp sender for each server session (bluenviron/gortsplib#1021) this produces more realistic statistics and in the future will allow to implement per-session statistics and packet retransmission.
• store reported lost RTP packets in stats (#5198) (bluenviron/gortsplib#1023)

HLS

• muxer: support muxing KLS with MPEG-TS (bluenviron/gohlslib#327)
• client: fix deadlock when processing fMP4s (bluenviron/gohlslib#333) (bluenviron/gohlslib#334)

WebRTC

• fix panic with WHIP POST authentication failures (#5566)

Dependencies

• code.cloudfoundry.org/bytefmt updated from v0.64.0 to v0.67.0
• github.com/abema/go-mp4 updated from v1.4.1 to v1.5.0
• github.com/bluenviron/gohlslib/v2 updated from v2.2.8 to v2.2.9
• github.com/bluenviron/gortsplib/v5 updated from v5.4.0 to v5.5.0
• github.com/bluenviron/mediacommon/v2 updated from v2.8.2 to v2.8.3
• golang.org/x/crypto updated from v0.48.0 to v0.49.0
• golang.org/x/sys updated from v0.41.0 to v0.42.0
• golang.org/x/term updated from v0.40.0 to v0.41.0
• golang.org/x/net updated from v0.51.0 to v0.52.0
• golang.org/x/text updated from v0.34.0 to v0.35.0

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

Fixes and improvements

General

• fill product version of Windows executable (#5167) (#5511)
• improve JSON decoder performance (#5526) avoid decoding JSON twice.
• fix panic when setting writeQueueSize to zero (#5360) (#5527)
• prevent using alwaysAvailableFile and alwaysAvailableTracks together (#5529)
• improve playback precision of alwaysAvailable offline segment (#5530)
• fix MPEG-4 audio configuration not matching error (#5468) (#5533) This happened when using alwaysAvailableFile and a MPEG-4 audio track.
• fix corrupted video with alwaysAvailableFile (#5534) when alwaysAvailableFile points to a file with a H265 or H264 track, server is started, an online stream is published and then closed, video was getting corrupted since the online video was overriding the parameters of the offline video.
• fix audio from alwaysAvailableFile not being streamed (#5535)
• fix alwaysAvailableFile restarting when a publisher fails (#5536) when a publisher try to start an online stream and there's an error, alwaysAvailableFile restarted without any reason.
• revert to Go 1.25 (#5521) (#5538) It seems like Go 1.26 is causing segmentation faults, related to channels, on Windows.
• inherit MPEG-4 audio type from alwaysAvailableFile (#5539)
• mpegts: properly compute PTS of async KLV frames (bluenviron/mediacommon#291) (bluenviron/mediacommon#311) Store last valid PTS as soon as possible, by parsing PES headers in advance, then use this PTS as timestamp of KLV frames without PTS.

HLS

• client: fix initial packet loss after astits upgrade (bluenviron/gohlslib#331)

Dependencies

• Go updated from 1.26 to 1.25
• github.com/asticode/go-astits updated from v1.14.0 to v1.15.0
• github.com/bluenviron/gohlslib/v2 updated from v2.2.6 to v2.2.8
• github.com/bluenviron/gortsplib/v5 updated from v5.3.2 to v5.4.0
• github.com/bluenviron/mediacommon/v2 updated from v2.8.0 to v2.8.2
• github.com/gin-gonic/gin updated from v1.11.0 to v1.12.0
• github.com/go-git/go-billy/v5 updated from v5.7.0 to v5.8.0
• github.com/go-git/go-git/v5 updated from v5.16.5 to v5.17.0
• github.com/bytedance/sonic updated from v1.14.0 to v1.15.0
• github.com/bytedance/sonic/loader updated from v0.3.0 to v0.5.0
• github.com/cloudflare/circl updated from v1.6.1 to v1.6.3
• github.com/gabriel-vasile/mimetype updated from v1.4.8 to v1.4.12
• github.com/go-playground/validator/v10 updated from v10.27.0 to v10.30.1
• github.com/quic-go/quic-go updated from v0.57.0 to v0.59.0
• github.com/ugorji/go/codec updated from v1.3.0 to v1.3.1
• golang.org/x/arch updated from v0.20.0 to v0.22.0
• golang.org/x/net updated from v0.50.0 to v0.51.0
• google.golang.org/protobuf updated from v1.36.9 to v1.36.10
• github.com/bytedance/gopkg v0.1.3 added
• go.mongodb.org/mongo-driver/v2 v2.5.0 added

Security

Binaries are compiled from source code by the Release workflow without human intervention.

You can verify that binaries have been produced by the workflow by using GitHub Attestations:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

Fixes and improvements

General

• support X-Forwarded-Proto in playback server (#4970) (#5445) allow reverse proxies to change the schema of URLs returned by the server through the X-Forwarded-Proto header.
• make config file YAML 1.2 compliant (#5345) (#5456)
• replace YAML parser (#5461) switch from the unmaintained gopkg.in/yaml to goccy/go-yaml
• deprecate unix+rtp (#5318) (#4999) (#5351) (#5470) Unix socket are stream-based connections, while RTP requires packet-based connections. While packet-based Unix sockets exist (unixgram), no client supports them. Consequently we are forced to deprecate unix+rtp.
• fix codec parameters not being loaded from alwaysAvailableFile (#5484)
• warn when alwaysAvailableFile is not MP4 (#5483)
• suggest using JWTs in query parameters for RTSP and RTMP (#5267) (#5493) In case of RTSP and RTMP, JWTs cannot be used as passwords since there's a size limit. Therefore, documentation is updated to suggest passing JWT through query parameters, and authJWTInHTTPQuery is updated to act on HTTP requests only.
• fix error 400 with parallel describe and publish requests (#5095) (#5502) When a path is dynamic, and the path receives multiple describe and publish requests in parallel, describe requests might cause the path to be deleted, and this might cause pending publish requests to fail, since the path has been deleted. This patch improves the situation by checking for pending requests before deleting a path.
• add integrated packet dumper (#5488) this allows to dump any incoming and outgoing packet, to disk, in pcapng format.
• log packet sizes if UDPMaxPayloadSize is exceeded (#4668)
• improve video/audio sync of alwaysAvailable (#5443) (#5508) store elapsed time once for the entire stream and start PTS of sub streams from there.
• improve pmp4 and fmp4 parser robustness (bluenviron/mediacommon#299)
• mp4: fix H265 + iOS compatibility (bluenviron/mediacommon#290) On iOS, H265 requires the hvc1 box instead of the hev1 box.
• h264: prevent Annex-B from decoding more NALUs than MaxNALUsPerAccessUnit (bluenviron/mediacommon#303)
• improve H264 and MPEG-4 video performance (#4971) (bluenviron/mediacommon#304)
• mp4: fill reserved fields properly (bluenviron/mediacommon#307)
• mpegts: parse Opus channel configuration (#5002) (bluenviron/mediacommon#309)

API

• add conns to RTSP Sessions (#5454) this allows to find connections associated with a RTSP session.

RTMP

• prevent legacy clients from reading multiple video/audio tracks (#5478)
• fix marshaling H264 VideoExCodedFrames (#4996) (bluenviron/gortmplib#46) These messages were marshaled wrongly, causing errors when trying to read H264 tracks with an ID >= 1.
• support reading H265 with video codec id 12 (#5105) (bluenviron/gortmplib#48)

HLS

• client: support storing and sending cookies (#5444)

WebRTC

• allow tuning WHEP timeouts (#5027) (#5479) add whepHandshakeTimeout, whepTrackGatherTimeout, whepSTUNGatherTimeout
• add whepBearerTokenParameter (#3796) (#5486) this allows to pass Authorization: Bearer to servers that require it.

SRT

• set timeout of idle peers to readTimeout (#5489)

RPI Camera

• fix cross-compilation (bluenviron/mediamtx-rpicamera#89)
• fix kernel warning when closing camera (#4988) (bluenviron/mediamtx-rpicamera#88) close camera and encoder handlers properly.

Dependencies

• Go updated from 1.25 to 1.26
• code.cloudfoundry.org/bytefmt updated from v0.63.0 to v0.64.0
• github.com/MicahParks/keyfunc/v3 updated from v3.7.0 to v3.8.0
• github.com/bluenviron/gohlslib/v2 updated from v2.2.5 to v2.2.6
• github.com/bluenviron/gortmplib updated from v0.2.1 to v0.3.0
• github.com/bluenviron/gortsplib/v5 updated from v5.3.1 to v5.3.2
• github.com/bluenviron/mediacommon/v2 updated from v2.7.1 to v2.8.0
• github.com/datarhei/gosrt updated from v0.9.0 to v0.10.0
• github.com/go-git/go-git/v5 updated from v5.16.4 to v5.16.5
• github.com/matthewhartstonge/argon2 updated from v1.4.5 to v1.4.6
• github.com/pion/ice/v4 updated from v4.2.0 to v4.2.1
• github.com/pion/sdp/v3 updated from v3.0.17 to v3.0.18
• github.com/pion/webrtc/v4 updated from v4.2.3 to v4.2.9
• golang.org/x/crypto updated from v0.47.0 to v0.48.0
• golang.org/x/sys updated from v0.40.0 to v0.41.0
• golang.org/x/term updated from v0.39.0 to v0.40.0
• gopkg.in/yaml.v2 removed
• github.com/goccy/go-yaml updated from v1.18.0 to v1.19.2
• github.com/pion/dtls/v3 updated from v3.0.10 to v3.1.2
• golang.org/x/net updated from v0.49.0 to v0.50.0
• golang.org/x/text updated from v0.33.0 to v0.34.0
• github.com/google/gopacket v1.1.19 added
• github.com/bluenviron/mediamtx-rpicamera updated from v2.5.3 to v2.5.4

Security

Binaries are compiled from source code by the Release workflow without human intervention.

You can verify that binaries have been produced by the workflow by using GitHub Attestations:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

Fixes and improvements

General

• fix typo in error message ('alwaysAvailableVideo' -> 'alwaysAvailableFile') (#5417)
• emit structured logs with nanosecond precision (#4924) (#5404)
• set default udpMaxPayloadSize to an IPv6 compatible value (#4882) (#5402) When using IPv6, there are 20 bytes less available for UDP payload, which has been adjusted accordingly.
• add authHTTPFingerprint (#5413) (#5422)
• add additional checks on always-available streams (#5408) make sure that published streams match MPEG-4 audio, G711 and LPCM parameters declared in configuration or used by the offline file.
• improve JSON error message (#5412) (#5433)
• pmp4: improve compatibility (#5423) (bluenviron/mediacommon#298)

RTSP

• rtpreceiver: fix panic (bluenviron/gortsplib#994)
• support Amatek AR-N3222F NVR (bluenviron/gortsplib#989)
• rtpreceiver: fix TotalReceived computation (bluenviron/gortsplib#995) one packet was missing.

RPI Camera

• fix unsetting rpiCameraAWBGains (#4935) (bluenviron/mediamtx-rpicamera#85)

Dependencies

• code.cloudfoundry.org/bytefmt updated from v0.62.0 to v0.63.0
• github.com/alecthomas/kong updated from v1.13.0 to v1.14.0
• github.com/bluenviron/gortsplib/v5 updated from v5.3.0 to v5.3.1
• github.com/bluenviron/mediacommon/v2 updated from v2.7.0 to v2.7.1
• github.com/pion/interceptor updated from v0.1.43 to v0.1.44
• github.com/pion/rtp updated from v1.10.0 to v1.10.1
• github.com/bluenviron/mediamtx-rpicamera updated from v2.5.2 to v2.5.3

Security

Binaries are compiled from source code by the Release workflow without human intervention.

You can verify that binaries have been produced by the workflow by using GitHub Attestations:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

New major features

General

• add always available streams (#5335) When the publisher or source of a stream is offline, the server can be configured to fill gaps in the stream with a video that is played on repeat until a publisher comes back online. This allows readers to stay connected regardless of the state of the stream. The offline video and any future online stream are concatenated without decoding or re-encoding packets, using the original codec.

API

• add available, availableTime, online, onlineTime properties (#5391) these replace ready and readyTime and allow to monitor the new "always-available" feature.

WebRTC

• support reading KLV tracks (#4722)

Fixes and improvements

General

• move away from balenalib Docker images (#5313)
• print OS and Arch in first log line (#5315)
• print last decode error (#5319) decode errors are still grouped together, but the last one is now printed.
• print last processing error (#5323)
• use the same filtering process for every codec (#5324) this allows to apply features that were previously implemented for single codecs (like RTP packet resizing), to any codec, and simplifies future development.
• prevent several configuration errors (#5368)
• fix typos in documentation (#5370)
• fix overriding default user with environment variables (#5371) MTX_AUTHINTERNALUSERS_0_USER and MTX_AUTHINTERNALUSERS_0_PASS are now working even when the configuration file is present.
• prevent setting empty usernames with environment variables (#5373)
• fix panic with environment variables (#5374) this happened when loading deprecated slices of structs with environment variables.
• prevent setting slices to null (#5375) In Golang, slices can be set to nil, while in most other languages they cannot. This causes compatibility issues, especially because the OpenAPI definition of the API does not allow slices to be nil. This prevents slices from being set to nil through JSON/YAML, and also sets default slices to an empty list instead of nil.
• Update hlsEncryption documentation on Low-Latency HLS requirements (#5379)
• fix race condition when closing HTTP servers (#5390) when a HTTP server is closed, open connections are now immediately closed and open routines are waited before the server is considered closed.
• deprecate fallback (#5388) The fallback feature worked with RTSP only and did not allow readers to resume the original stream. It has been replaced by alwaysAvailable.
• mpegts: add E-AC-3 (Dolby Digital Plus) codec support (bluenviron/mediacommon#272)
• mpeg4audio: support channel_config=0 (bluenviron/mediacommon#273)
• mpeg4audio: in ASC, prefer marshaling legacy ChannelConfig when available (bluenviron/mediacommon#280)
• pmp4: increase compatibility (bluenviron/mediacommon#293)
• pmp4: support MP4s with data before track definitions (bluenviron/mediacommon#294)

API

• improve OpenAPI definition (#5380) add uint64, uint, uuid, move WebRTCICEServer into dedicated schema

RTSP

• fix log labels of RTSPS listeners (#5367) use "TCP/RTSPS", "UDP/SRTP", "UDP/SRTCP" to refer to secure listeners
• add rtspUDPSourcePortRange param (#5363) (#5397)

HLS

• fix playback starting point for VOD streams without EXT-X-PLAYLIST-TYPE (bluenviron/gohlslib#308)
• client: return every unit before an error (bluenviron/gohlslib#314) In case of an error, downloaded unit that were not processed yet were discarded. Now they are returned before the client exits.

WebRTC

• print incoming data channel messages (#5357)

RPI Camera

• move away from balenalib Docker images (bluenviron/mediamtx-rpicamera#82)

Dependencies

• code.cloudfoundry.org/bytefmt updated from v0.59.0 to v0.62.0
• github.com/bluenviron/gohlslib/v2 updated from v2.2.4 to v2.2.5
• github.com/bluenviron/gortmplib updated from v0.2.0 to v0.2.1
• github.com/bluenviron/gortsplib/v5 updated from v5.2.2 to v5.3.0
• github.com/bluenviron/mediacommon/v2 updated from v2.6.0 to v2.7.0
• github.com/golang-jwt/jwt/v5 updated from v5.3.0 to v5.3.1
• github.com/matthewhartstonge/argon2 updated from v1.4.4 to v1.4.5
• github.com/pion/ice/v4 updated from v4.1.0 to v4.2.0
• github.com/pion/interceptor updated from v0.1.42 to v0.1.43
• github.com/pion/rtp updated from v1.9.0 to v1.10.0
• github.com/pion/transport/v3 removed
• github.com/pion/webrtc/v4 updated from v4.2.1 to v4.2.3
• golang.org/x/crypto updated from v0.46.0 to v0.47.0
• golang.org/x/sys updated from v0.39.0 to v0.40.0
• golang.org/x/term updated from v0.38.0 to v0.39.0
• github.com/pion/datachannel updated from v1.5.10 to v1.6.0
• github.com/pion/dtls/v3 updated from v3.0.9 to v3.0.10
• github.com/pion/sctp updated from v1.9.0 to v1.9.2
• github.com/pion/srtp/v3 updated from v3.0.9 to v3.0.10
• github.com/pion/stun/v3 updated from v3.0.2 to v3.1.1
• github.com/pion/turn/v4 updated from v4.1.3 to v4.1.4
• golang.org/x/net updated from v0.48.0 to v0.49.0
• golang.org/x/text updated from v0.32.0 to v0.33.0
• github.com/pion/transport/v4 v4.0.1 added
• github.com/bluenviron/mediamtx-rpicamera updated from v2.5.1 to v2.5.2

Security

Binaries are compiled from source through the Release workflow without human intervention, preventing any external interference.

You can verify that binaries have been produced by the workflow by using GitHub Attestations:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

Fixes and improvements

General

• add structured logging (#5219)
• fix 1-minute offset when recording a H264 WebRTC track (#5275) (#5278)
• disable syslog logging on macOS (#5005) (#5295)
• set syslog priority and do not write level and date to syslog (#4923) (#5296) When writing log entries to syslog, pass the level (WARN, INFO, etc) directly to syslog. Avoid writing level and date. This provides a better integration and allows to use syslog search tools.

RTSP

• avoid setupping back channels (#5074) (#5289)
• Support URI format sent by HappyTime ONVIF and RTSP clients during (bluenviron/gortsplib#964)
• fix medias wrongly marked as back channels (#5074) (bluenviron/gortsplib#970) Some cameras mark medias as back channels even though they are not. Try to detect this by checking whether in full the SDP there are both back channels and standard channels, unmarking back channels otherwise.
• when there are back channels, add recvonly attribute to standard channels (bluenviron/gortsplib#971)

SRT

• fix broken connections in case of high latency (#3756) (#5282) When listening and accepting an incoming connection request, the response might be received by the peer with some delay due to latency. This causes the peer to send a second connection request, that is not detected as duplicate because the first connection request has already been removed from the map that is used to check for duplicates (connReqs), so it is treated as a brand new connection request, breaking the first connection. This patch fixes the issue by introducing another map (connByPeer) that is used to check whether a connection request is associated to an already-accepted connection.

Dependencies

• code.cloudfoundry.org/bytefmt updated from v0.58.0 to v0.59.0
• github.com/bluenviron/gortmplib updated from v0.1.2 to v0.2.0
• github.com/bluenviron/gortsplib/v5 updated from v5.2.1 to v5.2.2
• github.com/bluenviron/mediacommon/v2 updated from v2.5.3 to v2.6.0
• github.com/matthewhartstonge/argon2 updated from v1.4.3 to v1.4.4
• github.com/pion/ice/v4 updated from v4.0.13 to v4.1.0
• github.com/pion/rtp updated from v1.8.26 to v1.9.0
• github.com/pion/sdp/v3 updated from v3.0.16 to v3.0.17
• github.com/pion/webrtc/v4 updated from v4.1.7 to v4.2.1
• golang.org/x/crypto updated from v0.45.0 to v0.46.0
• golang.org/x/sys updated from v0.38.0 to v0.39.0
• golang.org/x/term updated from v0.37.0 to v0.38.0
• github.com/pion/dtls/v3 updated from v3.0.8 to v3.0.9
• github.com/pion/sctp updated from v1.8.41 to v1.9.0
• github.com/pion/stun/v3 updated from v3.0.1 to v3.0.2
• github.com/quic-go/qpack updated from v0.5.1 to v0.6.0
• github.com/quic-go/quic-go updated from v0.54.1 to v0.57.0
• go.uber.org/mock removed
• golang.org/x/mod removed
• golang.org/x/net updated from v0.47.0 to v0.48.0
• golang.org/x/sync removed
• golang.org/x/text updated from v0.31.0 to v0.32.0
• golang.org/x/time updated from v0.9.0 to v0.12.0
• golang.org/x/tools removed

Security

Binaries are compiled from source through the Release workflow without human intervention, preventing any external interference.

You can verify that binaries have been produced by the workflow by using GitHub Attestations:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

Fixes and improvements

General

• apidocs: fix compatibility with OpenAPI 3.0 (#5210) double-precision numbers are now represented as double.
• playback: support concatenating segments with long gaps (#5172) Thanks to the new mtxi MP4 box, it's possible to check whether two segments are consecutive without involving dates or timestamps. When the new mtxi box is present in both segments, do not check if the end of the first segment corresponds to the start of the second segment.
• recorder: reset when absolute time drifts from stream time (#4778) (#5239) the server now detects when system time changes too much and restarts recordings when that happens.
• playback: fix crash (#5240) (#5250) when requesting a recording with the mp4 format, if there are two tracks and the second track has no samples, the server crashed. This fixes the issue.
• fix panic when changing log file to a nonexisting directory (#5132) (#5249)
• h264: fix regression in DTS extractor (#5207) (bluenviron/mediacommon#263)
• h264: increase MaxNALUsPerAccessUnit (bluenviron/mediacommon#262) Some parrot drones use slice-encoding with 45 independent slices, resulting in frames consisting of 48 NALUs.
• pmp4: fix crash when unmarshaling and there are no samples (#5240) (bluenviron/mediacommon#267)
• fmp4: Correctly parse trun v0 sample composition time offset (bluenviron/mediacommon#268)
• h265: fix DTS extraction with multiple slices (#5071) (bluenviron/mediacommon#269)

API

• always reply with JSON in case of success or failure (#5252) Reply with "status": "ok" in case of success, and with "status": "error" in case of error. This makes the API more accessible and user friendly.

RTSP

• fix crash when setupping tracks between stream changes (#5253) (#5257)
• Allow 1 byte of extra padding at mikey message (bluenviron/gortsplib#953)

RTMP

• prevent dropping initial video and audio frames (bluenviron/gortmplib#26)

Dependencies

• github.com/bluenviron/gortmplib updated from v0.1.1 to v0.1.2
• github.com/bluenviron/gortsplib/v5 updated from v5.2.0 to v5.2.1
• github.com/bluenviron/mediacommon/v2 updated from v2.5.1 to v2.5.3
• github.com/go-git/go-billy/v5 updated from v5.6.2 to v5.7.0
• github.com/go-git/go-git/v5 updated from v5.16.3 to v5.16.4
• github.com/pion/ice/v4 updated from v4.0.10 to v4.0.13
• github.com/pion/rtp updated from v1.8.25 to v1.8.26
• github.com/pion/webrtc/v4 updated from v4.1.6 to v4.1.7
• github.com/pion/dtls/v3 updated from v3.0.7 to v3.0.8
• github.com/pion/mdns/v2 updated from v2.0.7 to v2.1.0
• github.com/pion/sctp updated from v1.8.40 to v1.8.41
• github.com/pion/srtp/v3 updated from v3.0.8 to v3.0.9
• github.com/pion/stun/v3 updated from v3.0.0 to v3.0.1
• github.com/pion/turn/v4 updated from v4.1.1 to v4.1.3

Security

Binaries are compiled from source through the Release workflow without human intervention, preventing any external interference.

You can verify that binaries have been produced by the workflow by using GitHub Attestations:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

njs-0.9.8 bugfix version has been released.

VIENNA, Austria – April 29, 2026 – Leading open-source server solutions provider Proxmox Server Solutions GmbH (henceforth "Proxmox") today announced the release of Proxmox Backup Server 4.2. This update is based on Debian 13.4 “Trixie”, bringing updated packages, improved hardware support, and enhanced security. Proxmox Backup Server 4.2 ships with Linux kernel 7.0 as the new stable default and includes ZFS 2.4 for reliable, enterprise-grade storage. The new release also delivers major improvements in backup data organization, sync security, sync performance, S3-backed storage, and the underlying software stack.

Highlights in Proxmox Backup Server 4.2

Support for moving groups and namespaces

Backup groups and namespaces can now be moved to different locations within the same datastore. This gives administrators more flexibility when reorganizing existing backups, while per-group locking helps ensure data consistency throughout the process.

Server-side en/decryption support for sync jobs

Push sync jobs can now be configured to encrypt snapshots on the fly before sending them to remote datastores. This is particularly useful when synchronizing backup data to less trusted remote Proxmox Backup Server instances. In addition, pull sync jobs can be configured to decrypt snapshots that were encrypted on remote datastores. To make key management easy, tape and sync encryption keys can now all be managed from the same centralized panel.

Concurrent group pull/push support for sync jobs

Sync jobs can now process multiple groups in parallel through the new worker-threads property. This significantly improves throughput on high-latency networks and helps overcome HTTP/2 connection limitations. Logging has also been improved, with contextual prefixes for log messages and better visibility for push sync jobs.

S3-compatible object stores as backup storage backend

S3-compatible object stores are now officially supported as a backup storage backend. S3-backed datastores can now also track request counts and traffic statistics for deeper operational insight and monitoring. This is especially useful for identifying unexpected traffic volume early. The request counters are visualized in the datastore summary.

Availability

Proxmox Backup Server 4.2 is immediately available for download. Users can obtain a complete installation image via ISO download, which contains the full feature set of the solution and can be installed quickly on bare-metal systems using an intuitive installation wizard.

Seamless distribution upgrades from older versions of Proxmox Backup Server are possible using the standard APT package management system. Furthermore, it is also possible to install Proxmox Backup Server on top of an existing Debian installation. As Free/Libre and Open Source Software (FLOSS), the entire solution is published under the GNU AGPLv3.

For enterprise users, Proxmox Server Solutions GmbH offers professional support through subscription plans. Pricing for these subscriptions starts at EUR 560 per server per year, including unlimited backup storage and unlimited backup clients. A subscription provides access to the stable Enterprise Repository with timely updates via the web interface, as well as certified technical support. It is recommended for production use.

Resources:

• ISO Image Download: https://www.proxmox.com/en/downloads/
• Forum Announcement: https://forum.proxmox.com/
• Roadmap: For published and upcoming features, see the Release Notes & Roadmap

###

About Proxmox Backup Server
Proxmox Backup Server is an enterprise backup solution for backing up and restoring virtual machines, containers, and physical hosts. The open-source client-server software supports incremental backups, deduplication, Zstandard compression, and authenticated encryption. Designed for efficiency and ease of use, Proxmox Backup Server enables users to back up data in a space-efficient manner and restore virtual machines, archives, or single objects quickly. With its web-based user interface, the solution helps reduce administrative effort through simplified management. Proxmox Backup Server is licensed under the GNU AGPLv3. Enterprise support subscriptions are available from Proxmox.

About Proxmox Server Solutions
Proxmox provides powerful and user-friendly open-source server software. Enterprises of all sizes and industries use the Proxmox solutions to deploy efficient and simplified IT infrastructures, minimize total cost of ownership, and avoid vendor lock-in. Proxmox also offers commercial support, training services, and an extensive partner ecosystem to ensure business continuity for its customers. Proxmox Server Solutions GmbH was established in 2005 and is headquartered in Vienna, Austria. To learn more visit https://www.proxmox.com. Further information is available on LinkedIn and on YouTube.

Contact: Michael Hiess, Proxmox Server Solutions GmbH, marketing@proxmox.com

[0.16.2] - 2026-04-28

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• OIDC: Fallback to userinfo endpoint when JWT token does not contain an email claim.
• S3: verifyAfterWrite option to verify that objects have persisted after writing.

Changed

• Allow HTTP to be used for configuring the server.

Fixed

• LDAP: Generate valid credentialId when there are password changes.
• TLS: Disable cipher suited option disables wrong ciphers.
• DNS Updater:
  • BunnyDNS: Use subdomain as name of record instead of FQDN.
  • RFC2136: Chunk TXT records.
• Skip invalid entries in log files.

Check binary attestation here

VIENNA, Austria – April 27, 2026 – Enterprise software developer Proxmox Server Solutions (henceforth "Proxmox") today announced a new partnership with StorPool, which is now officially listed as a Proxmox solution provider. Through native integration with Proxmox Virtual Environment, StorPool brings high-performance block storage with very low and consistent latency to organizations running demanding production workloads on open-source infrastructure.

The integration combines the flexibility of Proxmox Virtual Environment with StorPool’s software-defined storage technology to support predictable I/O performance under load, efficient hardware utilization, and fast recovery from drive or server failures. The joint solution is designed for enterprises that require reliable primary storage for business-critical virtualized environments, whether deployed in hyperconverged or disaggregated architectures.

Short Quote StorPool
"StorPool takes Proxmox-powered environments to a new level in terms of speed (<0.1 ms latency), availability (99.999% of measured uptime) and efficiency (CPU, RAM & SSD consumption)," stated Boyan Ivanov, CEO, StorPool. "Now Proxmox users can optimize their environments, while having a robust enterprise-grade solution with 24/7 support, SLA and high-end storage capabilities."

Shorte Quote Proxmox:
"Our goal is to offer a powerful virtualization platform supported by a strong, enterprise-ready ecosystem," said Tim Marx, COO of Proxmox. "Through StorPool's native integration with Proxmox Virtual Environment, customers can have an additional high-performance storage option whenever their specific use cases require it. This expands flexibility for organizations running demanding workloads on open-source infrastructure."

Availability

Storpool on Proxmox Virtual Environment is available immediately. For more information, please visit https://storpool.com/proxmox-virtual-environment

###

About StorPool
StorPool has deployed hundreds of infrastructure solutions that help companies streamline their data centers and optimize their entire businesses. Our core focus is on developing StorPool Storage, a primary data storage software platform for service providers and enterprises. We design and provide solutions for virtualized environments, databases, and IaaS/SaaS platforms, delivering consistent low-latency performance and high availability using only standard hardware. Founded in 2011, StorPool serves customers globally across a range of industries. Learn more: https://storpool.com

About Proxmox
Proxmox provides powerful and user-friendly open-source server software. Enterprises of all sizes and industries use the Proxmox solutions to deploy efficient and simplified IT infrastructures, minimize total cost of ownership, and avoid vendor lock-in. Proxmox also offers commercial support, training services, and an extensive partner ecosystem to ensure business continuity for its customers. Proxmox Server Solutions GmbH was established in 2005 and is headquartered in Vienna, Austria. To learn more visit https://www.proxmox.com. You can also follow us on LinkedIn and on YouTube.

Contact: Michael Hiess Proxmox Server Solutions GmbH, marketing@proxmox.com

Finally releasing v4.0.

It was long overdue because we have been in beta for a long time. Thousands of companies and people have been using Coolify in production for 1-2 years.

Of course, this does not mean it has no bugs, it has many, but we fix them every day.

v5 is coming together, but we are not rushing it.

The biggest feature will be full scalability in the core, so you will have cloud infrastructure, but with your own servers.

I already have a working solution for the core and it is soo cool. Can't wait to start showing them to you.

By the way, doing v5 does not mean we won't continue to support v4.
We just want to push what is possible with servers and automations.

Thank you to everyone who helped me reach this point 💜

Let's make cool stuff! 🫰

So the release notes:

What's Changed

Security & Fixes

• Fixed Rallly service environment variable defaults (#9041, fixes #9615)
• Fixed Logto upgrade failure caused by missing database migration step (#9376)
• Fixed Jitsi Meet not working — rebuilt template with stable image and proper UDP/secrets (#9594, fixes #4813)
• Fixed Twenty deployment failure from unhealthy worker dependency (#9603, fixes #9574)
• Fixed mobile info popup not opening on tap and bubbling clicks to parent (#9809, closes #4834)
• Fixed SPA navigation race conditions causing stale state, broken buttons, and unsaved changes (#9742, closes #9732)

New Services & Templates

• Added Cap captcha service template (#9729)
• Re-enabled Plane service with updated docker-compose (#9641, fixes #8338)
• Updated Beszel and Beszel Agent to 0.18.7 (#9775)
• Disabled Cal.com template — project went closed source (#9776)

Improvements

• Added healthcheck to Langfuse worker (#9772)

What's Changed (Github)

• fix(navigation): replace wire:navigate.hover with wire:navigate by @andrasbacsai in #9742
• fix(helper): stop info icon click from propagating to parent on mobile by @andrasbacsai in #9809
• feat(service): disable calcom by @ShadowArcanist in #9776
• chore(service): update beszel to 0.18.7 by @ShadowArcanist in #9775
• feat(service): add healthcheck to langfuse-worker by @GauthierPLM in #9772
• feat(services): add Cap to templates by @tiagozip in #9729
• feat(service): enable plane by @DarkMaper in #9641
• fix(service): twenty fails to deploy due to dependency unhealthy by @ShadowArcanist in #9603
• fix(service): Jitsi Meet doesn't work by @miqonee in #9594
• fix(service): add missing database alteration step for Logto latest image by @FabioHAraujo in #9376
• fix(service): rally invalid next public url by @zupolgec in #9041
• v4.0.0 by @andrasbacsai in #9818

New Contributors

• @tiagozip made their first contribution in #9729
• @DarkMaper made their first contribution in #9641
• @miqonee made their first contribution in #9594
• @zupolgec made their first contribution in #9041

Full Changelog: v4.0.0-beta.474...v4.0.0

[0.16.1] - 2026-04-25

This version includes multiple breaking changes. If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• OIDC: Extract username from JWT token.
• system('node_hostname') and system('node_role') expression variables to retrieve the local node hostname and cluster role respectively.

Changed

Fixed

• JMAP:
  • Invalid receivedAt headers after importing (#2939).
  • Sorting order issues when emails lack receivedAt headers.
• IMAP: Fix BINARY fetch responses (#2940).
• WebDAV: Fix ACL validation for target folders.
• ACME: Allow requesting apex domain certificates.
• Hostname issues:
  • Accept RFC 6761 reserved TLDs during bootstrap.
  • Allow hostnames without TLDs in remote server settings.
• Reverse proxy issues.
• OSS builds.
• DNS Updater:
  • RFC2136: TSIG secret not base64 decoded.
  • Google DNS: Chunk TXT records when they exceed 255 characters.
  • Cloudflare:
    • Fix CAA record updates.
    • Check zone subdomains when finding zones

Check binary attestation here

njs-0.9.7 version has been released, featuring WebCrypto Ed25519 and X25519 support, wrapKey() and unwrapKey(), and crypto.randomUUID().

nginx-acme-0.4.0 version has been released, featuring ACME Renewal Information support.

What's Changed

Security & Fixes

• Prevent data loss when persistent containers (databases, apps, services) are accidentally pruned during service deletion (#9654, fixes #9582)
• Fix S3 storage backup endpoints returning 500 in API context (#9655, fixes #9581)
• Encrypt manual webhook secrets and strengthen HMAC signature verification (#9652)
• Fix Rocky Linux installer to use correct RHEL Docker repository (#9541, fixes #8730)
• Harden authentication: upgrade email verification hash and fix invitation link login (#9672)
• Validate and rate-limit feedback endpoint (#9653)
• Tighten volume name and path validation with shell argument escaping (#9666)
• Validate backup upload file type and size limits (#9667)
• Tighten S3 endpoint URL validation (#9668)
• Harden dev helper version validation and build argument escaping (#9670)
• Strengthen team scoping across resource creation flows (#9651)
• Fix SSH repository URLs with custom ports being mangled (#9425)
• Fix healthcheck path validation rejecting commas and semicolons (#9223)
• Fix database credential validation and shell escaping across Postgres, MySQL, MariaDB (#9674, #9676, #9681, #9682)
• Improve shell command tokenization for install, build, and start commands (#9684)
• Return stable generic error messages for API 5xx responses (#9669)

Improvements

• Add optional expiration for API tokens with advance notification warning before expiry (#9677)
• Add DELETE API endpoint to remove preview deployments by pull request ID (#9614)
• Mark Docker Swarm support as deprecated ahead of v5 removal (#9621)
• Categorize application advanced settings into logical sections (#9234)
• Improve service settings layout with dedicated advanced page and clearer headings (#9027)
• Display memory limit fields in a single row (#9232)
• Add info callout to clone resource section listing excluded items (#9233)
• Add architecture warning for service templates with platform limitations (#8390)
• Improve domain port+path format documentation in the UI (#8331)

What's Changed (Github)

• fix(installer): use RHEL Docker repo for Rocky Linux by @andrasbacsai in #9541
• fix(dev): add Docker volume path mapping to testing-host for database deployments by @cyface in #9534
• feat(ui): categorize application advanced settings into logical sections by @ShadowArcanist in #9234
• feat(ui): add info callout to clone resource section about excluded items by @ShadowArcanist in #9233
• feat(ui): display memory limit fields in single row by @ShadowArcanist in #9232
• fix(healthcheck): user input is rejected if path contains comma and semicolon by @ShadowArcanist in #9223
• feat(ui): improve service settings UX, headings, and helper text for clarity by @ShadowArcanist in #9027
• feat(services): add architecture warning by @Cinzya in #8390
• Added extra documentation on format for port+path for domains by @JamesPeters98 in #8331
• fix(git): preserve ssh scheme URLs with custom ports by @Iisyourdad in #9425
• refactor: tighten team scoping on resource creation and admin nav by @andrasbacsai in #9651
• build(deps-dev): bump follow-redirects from 1.15.11 to 1.16.0 by @dependabot[bot] in #9580
• refactor(webhook): encrypt manual webhook secrets and tighten HMAC verification by @andrasbacsai in #9652
• feat(api): add DELETE endpoint for preview deployments by PR id by @andrasbacsai in #9614
• refactor(api): validate and throttle feedback endpoint by @andrasbacsai in #9653
• fix(server): exclude persistent resources from container prune by @andrasbacsai in #9654
• fix(api): use explicit team ID for S3 storage lookup in backup endpoints by @andrasbacsai in #9655
• refactor(volumes): validate input and escape shell args by @andrasbacsai in #9666
• refactor(backup): validate database backup upload file type and size by @andrasbacsai in #9667
• refactor(storage): tighten S3 endpoint URL validation by @andrasbacsai in #9668
• refactor(settings): harden dev_helper_version validation and escape build args by @andrasbacsai in #9670
• refactor(api): return stable generic error messages for 5xx responses by @andrasbacsai in #9669
• [v5.x] chore: mark v4 docker swarm support as deprecated by @peaklabs-dev in #9621
• refactor: harden auth, CLI input, and scheduled-log viewer by @andrasbacsai in #9672
• fix(database): mount guard, healthcheck CMD exec-form, port input layout by @andrasbacsai in #9674
• fix(database): credential format validation with dirty-value escape hatch by @andrasbacsai in #9676
• feat(security): add expiration support for API tokens by @andrasbacsai in #9677
• fix(database): tighten Postgres init script filename handling by @andrasbacsai in #9681
• refactor(database): align Postgres SSL chown escaping with MySQL by @andrasbacsai in #9682
• refactor(validation): tokenize shell-safe command pattern by @andrasbacsai in #9684
• v4.0.0-beta.474 by @andrasbacsai in #9542

New Contributors

• @cyface made their first contribution in #9534
• @JamesPeters98 made their first contribution in #8331

Full Changelog: v4.0.0-beta.473...v4.0.0-beta.474

[0.16.0] - 2026-04-20

This version includes multiple breaking changes. If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Web UI rewritten from the ground up using the JMAP management API, featuring a refreshed design and addressing 76 enhancement requests and bug fixes.
• CLI rewritten from the ground up to use the JMAP management API.
• Security enhancements:
  • Password strength enforcement using the zxcvbn algorithm
  • Password expiration, rotation policies and IP address restrictions for user accounts
  • App Passwords with limited access (#1609), labels (#2255), IP address restrictions and expiration dates
  • API keys with limited access, labels, IP address restrictions and expiration dates
  • Auto-ban comments and details about the triggering event (#1321)
  • Auto-ban expiration after a configurable time period (#964)
• DNS Management:
  • Automatic DNS management of MX, TXT, CNAME, SRV, CAA and TLSA records (#463 #1017 #1419 #2438 #1370 #1406 #1371)
  • Automatic update of TLSA records when ACME certificates change (#1664)
  • RFC2136 SIG(0) support (#856)
  • Route53 provider support (contributed by @jimmystewpot)
  • Google Cloud DNS provider support (contributed by @jimmystewpot)
  • Bunny provider support (contributed by @angeloanan)
  • Porkbun provider support (contributed by @jeffesquivels)
  • DNSimple provider support (contributed by @NelsonVides)
  • Spaceship provider support (contributed by @matserix)
• DKIM:
  • Automatic DKIM key generation, rotation and DNS management (#368 #961)
  • Store DKIM keys in the database (#1264)
  • Ignore insecure signatures when verifying DKIM (#1068 #467)
• ACME/TLS:
  • DNS-PERSIST-01 ACME challenge support (#2837)
  • Renew certificates on demand, view certificate details (#675 #1162 #2566)
  • CAA record support (#468) with accounturi parameter (#1933)
  • TLSA records publishing restricted to 3 1 1 and 2 1 1 (#2193)
• OIDC and OAuth:
  • JWT token validation without requesting userinfo from the OIDC provider.
  • Audience (aud) claim (#2603) and scope validation support.
  • Groups support (#1448)
  • RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients
• LDAP:
  • Separate filter for groups (#1841)
  • Improve support for OpenLDAP schemas (#760)
  • Improve and simplify LDAP settings (#2194 #2174)
• Directory:
  • Masked email addresses for enhanced privacy (Enterprise)
  • Domain aliases (#583)
  • E-mail alias descriptions and option to disable aliases (#506)
  • Account archiving and un-deletion (#2767) (Enterprise)
  • Per-domain directory backends (Enterprise)
• Account configuration and discovery:
  • Automatic Configuration of Email, Calendar, and Contact Server Settings (draft-mailmaint-uaautoconf-04) (#2201)
  • MS Autodiscover V2 support (#679)
• Sieve: Allow deactivating scripts without deleting them (#1251).
• Tracing: Enable events only mode (#2276)
• Clustering:
  • Automatic cluster node ID generation and management.
  • Unified cluster management (#960)
  • Outbound MTA role (#1692)

Changed

• Replaced REST API with JMAP API (#2262 #959 #1480)
• Removed support for Authenticated Received Chain (ARC) sealing (learn more).
• Directory: Removed smtp, imap and memory directory backends.
• Use aws-lc for cryptographic operations instead of ring.
• Use rustls-platform-verifier for TLS certificate verification instead of webpki (#247).

Fixed

• Directory:
  • Cannot remove built-in "admin" role from user once it was assigned (#1467)
  • Delete associated records (#963)
  • Updated Role permissions not applied (#2038)
  • Recreated account cannot log in until server is restarted (#1469)
  • Subaddressing does not work for groups (#475)
  • New LDAP aliases are rejected (#1318).
  • Validate account and group names (#2209)
• MTA:
  • RCPT TO stage settings improvements (#2217 #394)
  • Relay to IP addresses (#838)
  • Duplicate delivery inverted check
  • SASL challenge responses include invalid Go ahead text
• JMAP:
  • Fix inMailboxOtherThan query logic.
  • Fix hasAttachment search field (#2778)
• IMAP:
  • Increment argument max length to 8000 bytes
  • ACL: Add RIGHTS capability (#2762)
  • ACL: Fix ACL SET permission override.
• WebDAV:
  • Return 304 NOT_MODIFIED on If-None-Match
  • Use RFC 2616 instead of RFC 1123 for date formatting
  • Fix ACL container/item mismatch in reports.
  • CalDAV: Allow organized properties to be present in PUT requests if they are equal to the existing ones.
  • CalDAV: Enforce cumulative iCalendar instances cap in CalDAV free-busy REPORT handler
• Configuration: Prefix parsing issues (#2495)
• OIDC: JWKS Exposes Symmetric Signing Key
• SQLite: Fix thread pool exhaustion.
• PostgreSQL: Use clean recycling method on connection pool
• Meilisearch: Make id sorteable.
• ACME: Fix wrong origin for subdomain updates (#2360)
• Spam filter: Skip invalid messages during training.
• Calendar: Include minutes in localized invite templates (#2828)
• HTTP: Fix 204 CORS preflight responses

Check binary attestation here

VIENNA, Austria – April 20, 2026 – Enterprise software developer Proxmox Server Solutions (henceforth "Proxmox") and Kasm Technologies, a leader in zero-trust cloud workspaces, today announced a strategic solution partnership. The collaboration expands the Proxmox ecosystem with a secure, web-native workspace streaming layer for Proxmox VE. This integration enables organizations to deliver virtual desktops, application streaming, and remote browser isolation through any modern browser – on any device and from any location.

Built on the foundation of Proxmox Virtual Environment, Kasm Workspaces adds a modern workspace delivery layer that allows IT and security teams to provision, manage, and isolate workloads across Windows, Linux, and macOS from a unified stack. Kasm’s containerized, zero-trust approach ensures that end-users never interact directly with sensitive data or endpoints, helping organizations reduce risk while simplifying secure remote access.

The Proxmox and Kasm integration provides a DevOps-enabled alternative to legacy VDI environments. The combined solution reduces operational overhead, eliminates proprietary licensing constraints, and delivers a verifiable security architecture that can scale from small deployments to global enterprise rollouts.

Short Quote Kasm Technologies:

“Great technology partnerships are built on shared principles, and Kasm Technologies and Proxmox are united by a common belief: organizations of all sizes deserve infrastructure that works for them,” said Justin Travis, CEO of Kasm Technologies. “Together, we offer a full-stack VDI solution, from the hypervisor layer to the end-user experience, built on the reliability and rapid innovation that Proxmox’s open-source ecosystem is known for delivering.”

Short Quote Proxmox:

“At Proxmox, we believe open-source infrastructure should give organizations more freedom, not more complexity,” said Tim Marx, COO of Proxmox Server Solutions. “Kasm extends Proxmox Virtual Environment with a modern, browser-based workspace experience that aligns with the needs of today’s IT and security teams. This partnership gives customers a flexible and secure path to deliver virtual desktops and applications without the constraints of legacy VDI platforms.”

Availability

Kasm Workspaces on Proxmox Virtual Environment is available immediately. For more information, please visit https://kasm.com/alliance-partnership/proxmox

###

About Kasm Technologies
Kasm Technologies is a leading provider of cloud workspaces, delivering zero-trust browser isolation, Desktop-as-a-Service, and application streaming through its open-source, web-native container streaming platform. Founded by cybersecurity experts with decades of experience defending U.S. federal and Department of Defense programs, Kasm enables organizations to securely deliver digital workspaces to any device, any network, anywhere in the world. Kasm Technologies is headquartered in McLean, Virginia. Learn more at https://www.kasm.com

About Proxmox Server Solutions
Proxmox provides powerful and user-friendly open-source server software. Enterprises of all sizes and industries use the Proxmox solutions to deploy efficient and simplified IT infrastructures, minimize total cost of ownership, and avoid vendor lock-in. Proxmox also offers commercial support, training services, and an extensive partner ecosystem to ensure business continuity for its customers. Proxmox Server Solutions GmbH was established in 2005 and is headquartered in Vienna, Austria. To learn more visit https://www.proxmox.com

Media contact: Michael Hiess, Proxmox Server Solutions GmbH, marketing@proxmox.com

nginx-1.30.0 stable version has been released, incorporating new features and bug fixes from the 1.29.x mainline branch  — including Early Hints, HTTP/2 to backend and Encrypted ClientHello, sticky sessions support for upstreams, Multipath TCP support, the default proxy HTTP version set to HTTP/1.1 with keep-alive enabled, and more.

Fixes

• Fixed the upgrade modal to show the correct target version and cleared stale upgrade notifications when the instance was already up to date. (#7774, fixes #6039, #8707)
• Fixed user deletion cleanup so team-owned Git app sources were handled safely, while instance-wide sources were preserved for the root team. (#9435, fixes #8172)
• Fixed dashboard homepage add buttons so they remained visible in light mode. (#9456, fixes #9454)
• Fixed port mapping validation to accept protocol suffixes like /tcp, /udp, /sctp and IP-bound mappings. (#9503, fixes #9501, #9504)

Improvements

• Updated phpseclib/phpseclib to 3.0.51. (#9500)
• Updated axios to 1.15.0 for development dependencies. (#9515)
• Updated axios to 1.15.0 in coolify-realtime. (#9516)

What's Changed (Github)

• fix(ui): Initialize latestVersion in Upgrade component mount by @andrasbacsai in #7774
• fix(user-deletion): safely clean up team-owned Git app sources by @andrasbacsai in #9435
• fix(ui): dashboard homepage add buttons are invisible in light mode by @rosslh in #9456
• fix(validation): allow protocol suffix and ip in port mappings (/tcp, /udp, /sctp) by @ShadowArcanist in #9503
• build(deps): bump phpseclib/phpseclib from 3.0.50 to 3.0.51 by @dependabot[bot] in #9500
• build(deps-dev): bump axios from 1.13.2 to 1.15.0 by @dependabot[bot] in #9515
• build(deps): bump axios from 1.13.6 to 1.15.0 in /docker/coolify-realtime by @dependabot[bot] in #9516
• v4.0.0-beta.473 by @andrasbacsai in #9521

New Contributors

• @rosslh made their first contribution in #9456

Full Changelog: v4.0.0-beta.472...v4.0.0-beta.473

The Asterisk Development Team would like to announce
the release of asterisk-23.3.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.3.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.3.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-23.3.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 50
• Commit Authors: 21
• Issues Resolved: 34
• Security Advisories Resolved: 0

The Asterisk Development Team would like to announce
the release of asterisk-22.9.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.9.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.9.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-22.9.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 50
• Commit Authors: 21
• Issues Resolved: 34
• Security Advisories Resolved: 0

The Asterisk Development Team would like to announce
the release of asterisk-20.19.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.19.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.19.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-20.19.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 50
• Commit Authors: 21
• Issues Resolved: 34
• Security Advisories Resolved: 0