BookStack Security Release v26.03.4

Dan Brown posted on the 30th of April 2026

BookStack v26.03.4 has been released.

This is a security release to improve attachment related permission checks, and URL validation for webhooks.

Upgrade is advised if you allow untrusted users to delete attachments, or if untrusted users have permission to create webhooks on instances which make use of the ALLOWED_SSR_HOSTS BookStack env file option.

Thanks to 404_pkj (GitHub) and naruhodoowl (GitHub) for responsibly reporting these issues.

Full List of Changes

Updated PHP package versions.
Updated attachment actions to align page access check.
Updated URL validation in webhooks to help prevent escaping workarounds.
Fixed issue where exact search term negation would lead to no results. (#6121)

For More Information

You can find update instructions here.
If you have any questions or comments about this advisory:

Ask in the BookStack Community.
Open an issue in the BookStack Codeberg repository.
Follow the BookStack security policy to contact someone privately.

Header Image Credits: Photo by Rhododendrites (CC-BY-SA 4.0) - Image Modified

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or in the BookStack Community.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts