This release is a security, maintenance and bug-fix release.
Security Fixes
This release has a number of important security fixes relating to API authorization bypasses & cross-site scripting that may facilitate additional attacks against administrators of your server. We recommend all users upgrade to this version to safeguard your GoCD server.
We assess the most severe of these issues as of high severity (CVSS v4.0 base score of 7.0), which you are vulnerable to if your GoCD environment allows polling of materials with changes submitted from low-trust or untrusted users.
All other resolved issues are all of low-to-medium severity (CVSS v4.0 base scores between 2.3 and 5.9) and require a valid GoCD user account to exploit - representing vulnerabilities only to attacks from malicious or compromised existing GoCD users. Effectively all historical GoCD versions prior to 26.1.0 are affected by one of the top 3-4 vulnerabilities.
If you cannot upgrade immediately, we recommend you mitigate the more severe issues by taking these three steps:
- Pause or remove use of materials which automatically poll for changes contributed by un-trusted upstream users, e.g. tracking pull/merge requests from forks on open-source style repositories
- Use your reverse proxy/CDN to block access to URLs prefixed by
/go/admin/restful/*. This has no impact on GoCD functionality. - Review all configured Pipeline Tracking Tool regular expressions for correctness.
These security vulnerabilities were responsibly disclosed via high quality research performed by Aditya Bisht, b0b0haha, j311yl0v3u, Jan Kahmen (turingpoint), Ori Gabriel, Markus Magnuson (GitHub) & Mohammed Amer (hackerone) - the team extend our thanks for their efforts.
Like many projects in the wider industry, the recent marked improvement in generative AI / LLM penetration testing harnesses has lead to a large increase in both discovered vulnerabilities and average report quality of reports - hence there are 10 distinct vulnerabilities resolved in this release.
To give users some time to mitigate or upgrade, these vulnerabilities will be disclosed 2-4 weeks from now via GitHub Security Advisories and formal CVEs according to our disclosure policy.
Java 21 is now the minimum supported version
Java 21 was released in September 2023, and has had complete support within GoCD since version 24.1.0, over 2.5 years before this release. Since then it has been packaged with both GoCD container images & installers by default.
This has proven to be very stable, so to reduce maintenance overhead and support upgrades to some dependencies that require Java 21, we are now making Java 21 the minimum supported version.
If you are aiming for minimal agent/server downtime in an upgrade to GoCD 26.1.0+, you can do so by following:
- Ensure your existing agents are running with Java 21+. - If your agents are using GoCD 24.2.0+ from official GoCD containers there is nothing extra to do. These already package and run Java 21+. - If your agents are using GoCD 23.2.0+ from other install approaches, they are already Java 21-compatible. Ensure they are running with Java 21+.
- Ensure your existing server is running with Java 21+. - If your server is using GoCD 24.2.0+ from official GoCD containers there is nothing extra to do. These already package and run Java 21+. - If your server is using GoCD 23.2.0+ from other install approaches, it is already Java 21-compatible. Ensure it is running with Java 21+.
- Upgrade your server to GoCD 26.1.0 without worry about Java issues. - Older agents running Java 21+ will restart automatically against a GoCD 26.1.0 server. - You can now validate your installation and agents are working fine.
- (Optionally) You can now upgrade your agents to GoCD 26.1.0 whenever you choose. - Technically GoCD agent installs are only a “bootstrapper” which downloads the matching agent code from the server for each release. It is wise to avoid too much discrepancy in versions to make upgrades (like this one!) easier, but it is not critical.
If you have issues, downgrades back to 23.2.0+ should be fine - there have been no breaking database or configuration changes within these versions. If you have any further queries/issues, please ask on GitHub Discussions or the Google Group.
Enhancements
- #14174, #14172, #14442 - Add job console log support for ANSI faint, italic, underline and URL linking/highlighting.
- #14308 - Improve rendering of long pipeline names in pipeline activity/history, config & comparison views.
- #14120 - Change baseline to require Java 21 minimum.
- #14326 - Bundle latest Java 25.0.3 release with non-Linux installers & containers
- #14119 - Allow Adoptium / Eclipse Temurin JRE installs to meet linux dependency requirement.
- Starting this release, Ubuntu 26.04 (Resolute Raccoon) based docker images for GoCD Agent are available.
Bug fixes
- #14362 - GoCD 25.4.0 broke Stage Status email notifications
- #14124 - GoCD 25.4.0 introduced date format nuisances in UI and Log
- #14134 - GoCD 25.4.0 logs spurious errors during job status processing for jobs cancelled prior to assignment
- #10052 - Modification duplicate removal can fail for large source control histories
- #14394 - Console log copying on Job completion can fail with spurious errors when jobs are completely re-run
- #12006 - CCTray reporting old failures for stages which no longer exist on the pipeline
- #14396 - Dashboard-Queue-Processor throws spurious exceptions after pipeline conversion to template
- #12427 - Unable to move pipeline group when using pipeline filter
- #12672 - JSON API calls can fail while running a pipeline
- #14397 - Validate supplied template/pipeline names exist when creating via the template creation API
- #14409 - Redirect-after-login can redirect user to non UI views
- #14282 - Ensure container image safe shutdown by use tini as PID 1 from initial boot
- #14357 - Ensure Test Drive experience works correctly when users use SSH keys for Git GPG
- #14360 - Background of hovered locked pipeline icon is incorrect when user lacks unlock permissions
- Correct rendering of package material comments across various views
Other changes
- #14398 - Remove Stage Detail admin-only Config XML tab
- #14398 - Remove legacy /go/api/admin/config/current.xml and /go/api/admin/config/:md5.xml APIs (without direct replacement)
- #14112 - Drop macOS x64 support
APIs
Improvements, deprecations and breaking changes in the API and plugin API have been moved to their respective changelogs - API changelog for 26.1.0 and Plugin API changelog for 26.1.0.
Contributors
Aditya Bisht (cherry-bisht, bisht-ji, oceany), Aravind SV, Arthur Embleton, Asish Kumar, Chad Wilson, Chris Gillatt, Gareth Coles, Jan Kahmen (of turingpoint.de), Markus Magnuson (alimony / peppersghost), Mohammed Amer (0nlymohammed), Ori Gabriel (climaxx), Ryan Dutton, Samuel Goncalves, Yelin Aung, b0b0haha (b0b0hahaxixi), j311yl0v3u
Note
A more comprehensive list of changes for this release can be found here.
Found a security issue that needs fixing? Please report it to https://hackerone.com/gocd
Please report any issues that you observe on GitHub issues.
