New release: 1.11.2

This release was made possible only through continued financial support by people like you!
Click here if you enjoy OctoPrint and want to help with its funding!

This second bugfix release for 1.11.x fixes some bugs, security issues and user experience problems reported since the release of 1.11.0:

🔒 Security fixes

• File exfiltration possible via upload endpoints, severity Moderate (5.4): OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from.

  The primary risk lies in the potential exfiltration of secrets stored inside OctoPrint’s config, or further system files. By removing important runtime files, this could also be used to impact the availability of the host. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal in most cases.

  See also the GitHub Security Advisory and CVE-2025-48067

• Denial of Service through malformed HTTP request in OctoPrint, severity Moderate (6.5): OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server.

  See also the GitHub Security Advisory and CVE-2025-48879

Minor Security fixes

• Core: Only allow bypassing CSRF protection with a provided API key. Before, OctoPrint would also disable CSRF protection if there was absolutely no session context (e.g. a manual curl request). Also added some E2E tests for that.
• Application Keys Plugin: Added a strong warning to the application keys dialog that allowing an app to create an appkey will give it the user’s permissions. Also added the remote address from which the appkey request is coming from.
• Application Keys Plugin: Added a rate limit on the app keys request endpoint, to reduce the likelihood of an attacker on the local network spamming the instance with requests that the user then might accidentally allow.

✨ Features & improvements

Core

• #5158: Pinned the third-party Click dependency to anything but 8.2.0 as that has a bug in how it parses boolean flags, leading to issues with e.g. octoprint user add --admin not working when it is installed.
• Added a new decorator BlueprintPlugin.limit to decorate endpoints with a rate limiter.
• Added a method SimpleApiPlugin.is_api_protected to query whether the API endpoints should have some basic authentication added by OctoPrint, similar to BluePrintPlugin.is_blueprint_protected. For now this method will return False (and log a warning to octoprint.log, prompting plugin authors to implement it explicitly). In a future OctoPrint version - current plan is 1.13.0 - this will default to True, enforcing basic protection on all SimpleApiPlugin implementations. See also the corresponding heads-up.

CI

• Now building PEP625 compatible sdists & wheels, and no longer building deprecated universal wheels.

🐛 Bug fixes

Core

• #5156: Fix 403 errors triggered by access_validation_factory due to missing permissions getting turned into HTTP 500.
• #5161: Fixed the Reverse Proxy Test page not working when pydantic 1.x is installed (Python 3.7).
• Made octoprint dev plugin:install work with setuptools >= 80.x and legacy plugin packaging.
• Fixed a typo in an internal method call causing plugin loading errors for specific packaging scenarios.
• Fixed escaping of whitespace for native grep calls.

Upload Manager Plugin

• #5162: Fixed sorting by “last printed date”.

You can also take a look at the changelog on GitHub.

Like every single release (and release candidate) of OctoPrint ever since early 2016 this release was made possible only through continued financial support by people like you! 💕

Click here if you enjoy OctoPrint and want to help with its funding!

Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

Also make sure to check any of the heads-ups or plugin incompatibilities listed below.

Heads-ups

The heads-ups from 1.11.0 still apply, please read them carefully, they might impact you and how you use OctoPrint! Also see the Further Information and Links below for more information, where to find help and how to roll back.

For this bugfix release there are additional heads-ups:

🧩 `SimpleApiPlugin`s can now opt-into enforced authentication on their endpoints, a future version of OctoPrint will require an opt-out to prevent this

Starting with OctoPrint 1.11.2, OctoPrint now ships with a new method SimpleApiPlugin.is_api_protected on its SimpleApiPlugin mixin that, similar to the long existing BlueprintPlugin.is_blueprint_protected, tells OctoPrint whether some basic authentication enforcing should be done by OctoPrint on its endpoints or not.

For now, this method by default will return False, effectively keeping the current behaviour of plugins having to implement their own authentication in SimpleApiPlugin.on_api_get and SimpleApiPlugin. on_api_command. However, this behaviour will change in a future version of OctoPrint (current plan is 1.13.0) to return True instead, effectively enforcing some basic user authentication on all SimpleApiPlugins.

Plugin authors should adjust their plugins now and explicitly opt-into protection by implementing is_api_protected liek this:

def is_api_protected(self):
    return True

If this does not work with their plugin, they should explicitly opt out by returning False here (and implement their own authentication as needed).

Plugins that have not yet explicitly implemented the above method will cause a warning to be logged in octoprint.log.

Thanks

Thanks to everyone who contributed to this bugfix release and provided full, analyzable bug reports, suggestions, feedback and - of course - funding!

Also another Thank you! to Jacopo Tediosi for the responsible disclosure of vulnerabilities fixed in this release.

Further Information

If connected to the internet, OctoPrint will allow you to apply this update automatically via an update notification. It may take up to 24h for this notification to pop up, so don't be alarmed if it doesn't show up immediately after reading this. You can force the update however via Settings > Software Update > Advanced options > Force check for update.

If your update fails chances are high you are running into one of the common update issues listed with fixes here, so please go through that FAQ entry first.

If you have any problems with your OctoPrint installation, please seek support on the community forum.

Links

• Changelog and Release Notes
• FAQ entry "My OctoPrint update fails" (Read in case of any update problems!)
• Community forum
• Discord Server
• FAQ
• Documentation
• Contribution Guidelines (also relevant for creating bug reports!)
• How to file a bug report
• How to roll back to an earlier release (OctoPi)
• How to roll back to an earlier release (manual install)