paperless-ngx v2.20.15 released on 27-04-2026
paperless-ngx v2.20.15 is out now. It addresses a reported security issue (GHSA-8c6x-pfjq-9gr7) and tightens authentication and mail-account handling to reduce unintended exposure.
Visit the project’s GitHub release page for full notes and upgrade instructions.
What’s in this release
- Security update addressing GHSA-8c6x-pfjq-9gr7 — recommended for all users.
- Hardening: the app now uses only the allauth-provided login and logout endpoints, limiting alternate authentication routes.
- Mail account enumeration scoping fix to prevent broader-than-intended exposure of mail account listings and improve multi-account isolation.
- API and UI robustness fixes: the API notes endpoint now rejects invalid requests, and CustomFieldQueryAtom no longer emits intermediate change events when an operator changes type.
Upgrade notes
- Upgrade to v2.20.15 to apply the security fix; see the project’s GitHub release for upgrade steps and CI artifacts.
- No breaking changes are listed in the release notes; back up your data and follow your normal upgrade procedures before applying the update.
Share comments on your experience with the upgrade.
