BookStack Security Release v26.03.1

Dan Brown posted on the 17th of March 2026

BookStack v26.03.1 has been released.

This is a security release to address a vulnerability where page content, which should be hidden by permissions, could be visible during certain markdown exports.

We strongly advise that you update your instance if you use permissions to control page visibility.

Thanks to Ghufran Raza Khan (GitHub Profile, LinkedIn Profile) for responsibly reporting this issue. Also thanks to Alex Dan (GitHub Profile) for also reporting this before public announcement.

Full List of Changes

Updated queries used for pages in markdown exports.
Updated handling of filenames for file serving.
Updated PHP package versions.

For More Information

You can find update instructions here.
If you have any questions or comments about this advisory:

Ask in the BookStack Community.
Open an issue in the BookStack GitHub repository.
Follow the BookStack security policy to contact someone privately.

Header Image Credits: Photo by Andrew Tryon (CC-BY-SA 2.0) - Image Modified

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or in the BookStack Community.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts