This version contains security fixes, it is recommended to update to this version immediately.
Important
If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8
Part-DB 2.12.2
Security fixes
MEDIUM: Fixed XSS vulnerability in project BOM import
MEDIUM: Fixed XSS vulnerability in project BOM table
Fixed problem that sidebar hide state was not persisted over page reloads (PR #1404, @d-buchmann)
Do not log deprecations as the files can quickly get very large, old behavior can be reenabled via env setting. This might also give a small performance boost (fixes #1405)
Added keyboard-editable date entry directly in the datetime field. The field shows its formatted value at rest and swaps to editable date segments on focus, while a calendar button still opens the picker popup. (#27693 by @robluton)
Added inline editing support to the JSON repeater interface. (#26863 by @bryantgillespie)
Fixed license modals being impossible to dismiss when shown above a route drawer (e.g. field detail pages) by keeping dialog focus traps stacked in visual order, and scoped license dismissal cookies to the whole app so dismissals persist across navigation (#27714 by @dstockton)
@directus/api
Fixed revision snapshots being assigned to the wrong items during batch updates when read order differs (#27407 by @luciemdx)
Directus is free for individuals and organizations under $5M annual revenue and 50 employees.
Get your free license key at directus.com/oig
Directus 12 introduces active license enforcement. Self-hosted instances run on the Core tier by default. Higher limits and additional features require a valid license. See Licensing for a complete overview.
This change affects instances previously using features that now require a license, including:
SSO β SSO login will no longer work. Users who authenticate through SSO will be unable to log in and must be converted to email and password users to regain access.
Custom permission rules β custom rules on access policies will be ignored.
Custom or self-hosted LLMs β connections to custom LLMs will no longer work.
AI Translations β AI-powered translations are not available.
Enforcement is immediate on new instances. Instances upgrading to Directus 12 get a 30-day grace period from the time of upgrade, after which these are enforced unless a license that enables them is configured.
If your instance uses any of these features, add a license that includes them to continue to do so. If your instance uses only Core tier features, no action is required.
Breaking Change: Relicensed from BUSL-1.1 to MSCL-1.0-GPL (Monospace Sustainable Core License, Version 1.0).
Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607)
The IP_TRUST_PROXY default was changed from true to false. If you run Directus behind a reverse proxy and rely on X-Forwarded-For (or similar) headers for client IP resolution, you must now explicitly set IP_TRUST_PROXY to true or a more specific trust configuration.
Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160)
Health checks are cached by default and shared across multi-instance deployments
/server/health will return 404 for unauthenticated requests, use /server/ping for liveness checks
cache, rateLimiter and rateLimiterGlobal health checks have been replaced by a generic redis check using the redis: prefix
Introduced VERSION_KEY_ constants and renamed main to published @alvarosabu (#27397)*
Backward Compatibility: You can now use ?version=published to resolve versions of the main item(s) via the version query parameter. For backward compatibility, ?version=main will continue to work.
Replaced status field with archived boolean in collection settings @alvarosabu (#27397)
Backward Compatibility: Existing collections with string-based status fields continue to work unchanged; newly created collections now default to a boolean "Archived" field instead of the string "Status" field
Deprecation for extensions: The globally registered VResizeable component has been deprecated. Extension authors using <v-resizeable> should migrate to @directus/vue-split-panel or their own implementation.
Updated type system, borders, and theme variables @formfcw (#27437)
Potential breaking change for theme extensions: headerShadow and sidebarShadow removed from LayoutConfig interface
Potential breaking change for theme extensions: boxShadow removed from header theme rules schema
Potential breaking change for theme extensions: sidebarShadow no longer exposed in layout wrapper state
Updated module navigation bar spacing and styling @HZooly (#27437)
Potential breaking change in theme extensions: Removed navigation.project.borderColor / navigation.project.borderWidth / navigation.project.background from theming. No action is required β these props will simply no longer have any effect.
Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397)
Breaking change β new behavior for versioned collections Published items in versioned collections are now locked. Edits must be made through the draft version.
Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437)
Potential breaking change for extensions: The rounded prop has been removed from v-button. Extensions using rounded will still render correctly but buttons will appear as rounded rectangles instead of circles. No functional impact.
Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437)
Potential breaking change for theme extensions: The theme properties navigation.background, navigation.backgroundAccent, navigation.borderWidth, navigation.borderColor, header.background, header.borderWidth, and header.borderColor have been removed and replaced by shell.background, shell.backgroundAccent, shell.borderWidth, and shell.borderColor.
Potential breaking change for theme extensions: Custom themes overriding any of these removed properties must migrate to the new shell scope. The corresponding CSS variables change from --theme--navigation--background, --theme--navigation--background-accent, --theme--navigation--border-*, --theme--header--background, and --theme--header--border-* to --theme--shell--background, --theme--shell--background-accent, and --theme--shell--border-*.
Removed the extra confirmation step from the publish flow @alvarosabu (#27487)
Breaking change β new publish flow: Publishing a version no longer shows an additional confirmation dialog after confirming changes in the comparison modal. The item is published directly once the changes are confirmed.
Potential breaking change for theme extensions: Removed section.toggle.borderWidth / section.toggle.borderColor in favor of section-level border tokens. No action is required β these props will simply no longer have any effect.
Potential breaking change for theme extensions: Removed sidebarShadow and headerShadow from defineLayout(). No action is required β these props will simply no longer have any effect.
Refactored focus ring from border/box-shadow to outline @formfcw (#27437)
Potential breaking change for theme extensions: borderColorFocus, boxShadowHover, and boxShadowFocus are removed from the theme schema β custom themes referencing these will lose their focus overrides silently
Potential breaking change for interface extensions that relied on --theme--form--field--input--border-color-focus or --theme--form--field--input--box-shadow-focus CSS variables will need to migrate to --theme--form--field--input--focus-ring-color
Updated header bar elements and deprecated the headline slot @formfcw (#27437)
Deprecation for extensions: The headline slot on the private view header bar has been deprecated. Existing content keeps rendering, but consumers using <template #headline> will now see a deprecation hint from Volar.
@directus/app
Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397 by @formfcw)
Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437 by @formfcw)
Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)
:::notice
Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering β actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.
Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)
:::notice
Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering β actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.
Added split-menu slot to v-button and migrate primary header actions @formfcw (#27437 by @formfcw)
Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
Added version support to getItemRoute and update all callers to preserve version context when navigating to items from layouts and interfaces @alvarosabu (#27397 by @formfcw)
Added behavior to auto-switch to the draft version on the first edit of published item @alvarosabu (#27507 by @alvarosabu)
Updated VChip component to appear as a pill in form field label, group accordion, group tabs, kanban, deployment status, extension item, marketplace extension list item, marketplace extension banner, and user popover @formfcw (#27462 by @formfcw)
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
Deprecation for extensions: The actions:append slot in the header bar has been deprecated in favor of the new actions:primary slot for primary CTAs. Existing actions:append usage keeps rendering in the secondary-actions zone, but consumers will now see a deprecation hint from Volar.
Renamed "Promote" to "Publish" in version menu and disabled create version and published selection for item-less versions @alvarosabu (#27397 by @formfcw)
Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)
:::notice
Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering β actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.
:::
Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)
Ensured to switch to the draft version when visually editing an item of a versioned collection @formfcw (#27595 by @formfcw)
Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
Improved AI assistant prompt caching support across providers. (#27545 by @bryantgillespie)
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
Updated directus_oauth_* system collection visibility to match other system collections (#27682 by @hanneskuettner)
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
Added support for the version query parameter in collections @Nitwel (#27397 by @formfcw)
Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)
@directus/utils
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
@directus/sdk
Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
Added missing collection note translations for the directus_oauth_* system collections (#27682 by @hanneskuettner)
Changed back button behavior, always navigates one level up @HZooly (#27437 by @formfcw)
Fixed default favicon path to resolve against the instance root path instead of the site origin. (#27095 by @singhvishalkr)
Fixed repeater interface ignoring per-field translations and $t: keys on sub-field labels, and added a "Field Name Translations" section to the sub-field configuration UI (#27374 by @khanahmad4527)
Fixed search input not trimming whitespace, causing queries with leading or trailing spaces to return no results (#27359 by @khanahmad4527)
Added minor copy change to license onboarding and license key interface (#27651 by @robluton)
Fixed the error handling (try-catch) when saving a field in Directus Studio. (#27486 by @baguse)
Fixed items not being selectable in the collection drawer when the Kanban layout is used while the parent item is opened in a version context @alvarosabu (#27427 by @alvarosabu)
Fixed AI assistant "Clear conversation" not canceling in-flight requests, causing them to continue running in the background (#27646 by @levgiorg)
Added support for translatable flow names via the existing $t: prefix and translation strings, matching the field/collection label pattern. The flow name input in the flow editor now exposes the translation picker. (#27472 by @khanahmad4527)
Removed unsupported json filter function from the studio (#27669 by @sourav-18)
Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
Consolidated URLs and emails into shared constants (#27641 by @HZooly)
@directus/system-data
Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
@directus/types
Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
@directus/utils
Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
@directus/sdk
Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
Fixed SingletonCollections incorrectly including core schema collections (#27196 by @kheiner)
@directus/ai
Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
@directus/release-notes-generator
Ignored private workspace packages when generating release notes (#27637 by @licitdev)
This is a security release to address the following vulnerabilities:
Attachment requests could be manipulated to leak details/links/metadata (not content) of attachments which the user did not have permission to view.
The file:// protocol could be abused in some Windows-specific scenarios to auto-run requests with credential information when viewing exports.
This protocol is now filtered from interactive content.
The search system could be abused to cause errors and fill logs.
Upgrade is advised for instances with public viewing enabled, or where untrusted users have authenticated access.
Thanks to Stephen O. / Sakusen (Codeberg, Website), Gurmandeep Deol (LinkedIn), Rafael Castilho (X account) and Gabriel Duarte Guerra (GitHub) for responsibly reporting these issues.
Full List of Changes
Updated PHP package versions.
Updated translations with the latest Crowdin changes.
Updated content allow-filtering to only allow the file:// protocol on anchor hrefs, instead of in all dynamic content.
Updated attachment update handling to validate permissions before request content.
Fixed numeric handling issue in tag search when using non-standard numbers.
β οΈ Note: This is the final Strapi 4 release β οΈ
No further updates to Strapi 4 will be published, this release serves as the final version of Strapi 4 which is considered EOL (End-Of-Life) as of April 30th, 2026. All Strapi users should migrate to Strapi 5: https://docs.strapi.io/cms/migration/v4-to-v5/introduction-and-faq
Also please note, this does include Strapi Customers as well. Strapi Cloud will still continue to function with Strapi 4 but that may be subject change in the near future without warning.
What's Changed
Security
Fixed a critical vulnerability where relational filtering could expose sensitive data through insufficient query sanitization. See GHSA-rjg2-95x7-8qmx / CVE-2026-27886.
Upgraded tar to v7 to address security warnings.
Applied v4 dependency security and maintenance updates.
Fixes
Enforced unique admin email validation when updating the authenticated user profile.
This version contains critical security fixes, it is recommended to update to this version immediately.
Part-DB 2.12.1
Security fixes
CRITICAL: Fixed issue that users with editing rights could execute arbitary php code in the docker installations by uploading phar files
MEDIUM: Fixed XSS issue in unsanatized log entry extra. Due to the Content-Security-Policy this has limited impact, as no arbitrary javascript can be executed.
MEDIUM: The APP_SECRET env must be changed to prevent forgery of REMEMBERME tokens. To be doable an attacker requires to know the secret password hash of a user, which is not obtainable without another security issue. Administrators will see an warning banner on the homepage, asking to change the APP_SECRET.
Generate an new random 32 character string with openssl rand -hex 32 and put the value for APP_SECRET into your .env.local or the environment section of the docker-compose.yaml.
Other changes
Updated dependencies to fix known security issues in symfony and twig
Log in
