New release: 1.11.3

This release was made possible only through continued financial support by people like you!
Click here if you enjoy OctoPrint and want to help with its funding!

This third bugfix release for 1.11.x fixes some bugs, security issues and user experience problems reported since the release of 1.11.0:

🔒 Security fixes

• RCE in OctoPrint via Unsanitized Filename in File Upload, severity High (7.5): OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered.

  If no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact.

  See also the GitHub Security Advisory and CVE-2025-58180

Minor Security fixes

• #5169: Got rid of unused and unneeded cookie setter functionality in LargeResponseHandler as it could be used to break returned responses through used input.

✨ Features & improvements

Application Keys Plugin

• Added a new CLI command to trigger the appkey request workflow, see octoprint plugin appkeys:request-key --help for details.

Event Manager Plugin

• Allow configuring whether to enable shell mode on a system event hook.
• Slight UI changes to improve UX.

Healthcheck Plugin

• New healthcheck to check for deprecated global API key being set and possibly used, disabled for now, will be enabled with 1.12.0

🐛 Bug fixes

Core

• #5177: Removed an unwanted side effect on HierarchicalChainMap._unflatten that could make it impossible to reset the run-time value of a dict-based setting back to an empty dict.
• Got rid of any uses of the cgi module, which has been deprecated for a while now and removed from Python 3.13+.
• Added a note that the global API key will be removed with the release of OctoPrint 1.13.0.
• Pinned the psutil dependency to version 6.0.0 to work around a problem with its builds available on piwheels.

Application Keys Plugin

• #5170: Fix access request handling on newly opened page

Upload Manager Plugin

• Use proper name for filesViewModel instead of deprecated name gcodeFilesViewModel.

You can also take a look at the changelog on GitHub.

Like every single release (and release candidate) of OctoPrint ever since early 2016 this release was made possible only through continued financial support by people like you! 💕

Click here if you enjoy OctoPrint and want to help with its funding!

Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

Also make sure to check any of the heads-ups or plugin incompatibilities listed below.

Heads-ups

The heads-ups from 1.11.0 still apply, please read them carefully, they might impact you and how you use OctoPrint! Also see the Further Information and Links below for more information, where to find help and how to roll back.

The following heads-ups from earlier releases also still apply:

• 1.11.2

For this bugfix release there are additional heads-ups:

🔒 Explicitly configure whether to use shell mode for your system event subscriptions

OctoPrint 1.11.3 introduces a new shell parameter on type: system commands that allows to specify whether the command should be run in a shell (true, currently the default) or directly (false, the future default).

Running commands in a shell has security implications as a misconfigured command with placeholders coming from external, potential untrusted sources can lead to arbitrary command execution. However, running commands in a shell also allows for more powerful scripting and also access to the shell’s environment, making it often unnecessary to set the full paths of commands that are supposed to be run.

OctoPrint so far has been running system commands defined in event hooks within a shell. Starting with OctoPrint 1.11.3, OctoPrint will log a message to octoprint.log when it encounters a system hook that hasn’t yet explicitly configured shell, and default to enabling shell mode. From 1.13.0 onward, this behaviour will change, and OctoPrint will default to not enabling shell mode in such cases, to further reduce the attack surface.

You should make an explicit decision now. Try to make your commands work without having to enable shell mode, and thoroughly vet your commands and parameter processing if you have to enable shell mode.

The bundled Event Manager’s UI has been adjusted to allow you to configured the shell parameter.

🔥 Switch to Application Keys, the global API key will be removed in 1.13.0

The global API key has been deprecated for a long time now. So far the deprecation notice said it would be removed in OctoPrint 2.0, however this now has been rescheduled to OctoPrint 1.13.0.

OctoPrint 1.12.0 will prepare this removal further and ship with a new health check enabled that will detect if you have a global API key set. OctoPrint 1.13.0 will then remove it altogether.

Instead of using the global key you should create individual Application Keys for your third party clients. That way they get permissions matching the user account used for key creation and you can also revoke access to one app without having to change the keys for all other apps. It’s also recommended to create a user account without admin access and use that for third party clients where possible.

Thanks

Thanks to everyone who contributed to this bugfix release and provided full, analyzable bug reports, suggestions, feedback and - of course - funding!

Also another Thank you! to @prabhatverma47 for the responsible disclosure of vulnerabilities fixed in this release.

Further Information

If connected to the internet, OctoPrint will allow you to apply this update automatically via an update notification. It may take up to 24h for this notification to pop up, so don't be alarmed if it doesn't show up immediately after reading this. You can force the update however via Settings > Software Update > Advanced options > Force check for update.

If your update fails chances are high you are running into one of the common update issues listed with fixes here, so please go through that FAQ entry first.

If you have any problems with your OctoPrint installation, please seek support on the community forum.

Links

• Changelog and Release Notes
• FAQ entry "My OctoPrint update fails" (Read in case of any update problems!)
• Community forum
• Discord Server
• FAQ
• Documentation
• Contribution Guidelines (also relevant for creating bug reports!)
• How to file a bug report
• How to roll back to an earlier release (OctoPi)
• How to roll back to an earlier release (manual install)