BookStack Security Release v26.03.2

Dan Brown Dan Brown posted on the 23rd of March 2026

BookStack v26.03.2 has been released.

This is a security release to address a vulnerability where the registration form could be manipulated to gain access to additional roles.

Upgrade is very strongly advised if your instance has user registration enabled.

Thanks to Kwonyong Lee (LinkedIn) for responsibly reporting this issue. Also thanks to Boustani OSAMA (LinkedIn) for also reporting this before public announcement.

A Personal Note

My apologies for this issue slipping by. As the individual responsible for the project, I know issues are inevitable on a project of this size & age, but it never feels great to publish a security release & advisory, and these last two have been particularly painful. These issues are ultimately my fault though, and I do have responsibility to BookStack users.

I’ve been thinking a lot about ways to help prevent the kinds of issues which have arose, and ways to encourage more consistent security review of BookStack, with the intent to improve these elements over the coming months.

You may have noticed the recent high amount of recent security releases. A factor in this is that when one report is published, it encourages other researchers to look at the project. This increases with project popularity. Since we’ve had relatively few in prior years, the recent reports have led to a rise in momentum. leading to more researchers looking at the project, and more reports, and therefore more discoveries. Ultimately this is good for the project to increase security, and I am very thankful to those researchers who disclose issues. I’ll be looking at viable options for being part of a more formal security/bug bounty program again to encourage a more continuous review, catching issues sooner, rather than “bursts” of reports like this. We were part of a bounty program before, which I had found to be useful, but we were (kindly) booted off when it changed to cater for AI-based projects only.

Full List of Changes

  • Updated user creation to only use validated input from registration.
  • Updated PHP package versions.
  • Updated translations with latest Crowdin changes. (#6064)
  • Updated PHP_CodeSniffer repository link. Thanks to @rodrigoprimo. (#6060)
  • Updated WYSIWYG editors to have consistent collapsible block double click behavior. (#6059)

For More Information

You can find update instructions here.
If you have any questions or comments about this advisory:

Header Image Credits: Photo by M J Roscoe (CC-BY-SA 2.0) - Image Modified

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or in the BookStack Community.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts