paperless-ngx v2.20.15 released on 27-04-2026
paperless-ngx v2.20.15 is out now. It fixes a security issue (GHSA-8c6x-pfjq-9gr7) and tightens authentication, mail-account scoping and API validation to reduce unintended endpoint exposure and malformed requests.
For full details and downloads, consult the project’s GitHub release page and release notes.
What’s in this release
- Security fix for GHSA-8c6x-pfjq-9gr7 — updating to v2.20.15 is recommended for all users.
- Limit authentication routes to use only allauth login/logout endpoints, tightening login/logout handling (PR #12639).
- Mail account enumeration is now correctly scoped, preventing broader-than-intended visibility during account discovery (PR #12636).
- API hardening: the notes endpoint now rejects invalid requests, and CustomFieldQueryAtom no longer emits spurious intermediate change events when an operator changes type (PRs #12582, #12597).
Upgrade notes
- The authentication route change may affect custom login/logout integrations or proxy rules; check any customised endpoints and update them to use the allauth login/logout endpoints (see PR #12639 on GitHub).
- No specific rollback instructions are included in the release notes; if you need to revert, return to the previous release and follow your standard rollback procedure.
Share feedback or report any issues on the project’s GitHub issue tracker so the maintainers and community can follow up on your experience.
