This is a mandatory security update. This release addresses a critical vulnerability and includes several important bug fixes related to tagging, the user interface, and configuration.

Security

• Critical: Privilege Escalation

• This release patches a critical privilege escalation vulnerability. We would like to thank ENISA for reporting this issue. We strongly recommend all users upgrade their instances immediately.

• GCVE-1-2025-0017

Fixes and Improvements

Tagging

• Fixed a bug that prevented some tags from being saved correctly due to a double-encoding issue.
• The “Restore deleted tag” functionality has been fixed. This was previously broken after a change to remove tags by ID.
• Tags are now reliably removed by their ID instead of their value, improving data integrity.
• Resolved a UI layering (z-index) issue where the tagging selection menu would incorrectly appear behind modals.

User Interface (UI)

• Fixed an issue in modals where users could not type or search in dropdown menus (select2). The dropdowns are now correctly attached to the modal body, re-enabling keyboard events.

Configuration

• Cerebrate will now correctly fall back to the baseurl defined in config.json if the fullbaseurl is not set, improving configuration flexibility.

Maintenance

• The sqlite3 dependency requirement has been corrected.

We’re happy to announce the release of Cerebrate v1.29, bringing useful improvements to user management, tagging consistency, and query handling.

✨ New & Improved

• User Filtering Enhancements
  • You can now filter users by their roles for easier management.
  • Added filtering for enabled/disabled users, making it simpler to review account status.
• Tags
  • Extended the name field length to 255 characters, aligning with MISP compatibility.

🛠️ Fixes

• Search Improvements
  • Corrected support for negating metafield searches using !=, ensuring more accurate filtering in CRUD operations.

🔧 Other

• General version bump and codebase maintenance/merges.

Release date: 2025-08-22

🚀 New Features

• Bulk User Editing
  Added option to bulk edit users, making user management more efficient.

⚙️ Changes

• Meta Templates
  Metafields in forms are now sorted based on their field property for better usability.

• Version bump

🛠 Fixes

• Security
  Fixed ACL for user settings edit, which previously allowed enumeration of usernames.
  • Reported by: Jeroen Pinoy
  • Developed during Hackathon.lu 2025
  • GCVE-1-2025-0003

• Permissions
  Added meta field editor permission to role view. Fixes #195.

• Validation
  Prevented RecordNotFoundException on invalid meta_template_field_id.
  Added existence check in MetaFieldsTable::isValidMetaField() to ensure missing references don’t cause unhandled exceptions.

🔧 Other

• Various branch merges (develop, main, 205).
• Merged PR #196: add meta field editor permission to role view.

✨ Contributors

Thanks to all contributors for this release:

• Sami Mokaddem
• Andras Iklody (iglocska)
• Jeroen Pinoy
• DocArmoryTech

New Features

User Experience (UX)

• Improved interlinking between users and individuals:
  • Users associated with individuals are now displayed.
  • Individuals linked to users are now visible.

Fixes

User Experience (UX)

• User profile is now correctly displayed in the header bar.

Group Administration

• Permissions for group admins have been added.

User Editing

• Fixed role-based editing permissions for roles ≤ Community Admin (fixes #198).

As always, thank you for your continued support and contributions to the Cerebrate project!

For a detailed list of changes, visit the Cerebrate GitHub repository.

We are glad to announce the release of Cerebrate v1.26, which introduces new features, key improvements, and a host of fixes aimed at enhancing functionality and security. Here’s a breakdown of what’s new:

🚀 New Features

• Bookmark Security Enhancements:
  Administrators can now tighten bookmark creation rules by restricting base URLs to a predefined list via server settings, ensuring greater control and security.

🔧 Improvements & Changes

• AuthKey Management:
  • More elegant solutions for adding authentication keys.
  • Improved permission handling for group admins, allowing them to manage API keys for their groups.
  • Streamlined user dropdown for adding AuthKeys to focus on relevant users only.

🛠️ Fixes

This release resolves numerous issues to improve system stability, usability, and security:

Security Fixes:

• Tightened role assignment permissions to prevent privilege escalation by low-privilege administrators.
• Improved ACL handling for group admin permissions, preventing unauthorized user assignments to external organizations.
• Bookmark error handling enhancements, ensuring failures are explicitly reported and resolved.

Bug Fixes:

• Fixed installation issues caused by non-boolean debug mode.
• Correctly set the perm_community_admin value to resolve community admin role issues.
• Improved debug level settings to ensure numeric values fall within valid ranges.
• Addressed typos in configurations, descriptions, and controllers for smoother operation.
• Resolved internal server errors in user settings view when accessed without a user ID.
• Fixed cryptic error messages related to role deletions with attached users.

Usability Enhancements:

• Enhanced error handling for Ajax contexts, ensuring clear feedback during save failures.
• Resolved edge cases for PGP key status checks.
• Set proxy settings diagnostics severity to info for improved clarity.

📝 Miscellaneous Updates

• Streamlined and cleaned up the ACL component by removing duplicate checks.

We encourage all users to update to v1.26 to benefit from these enhancements and fixes.

Huge shoutout to @Wachizungu for his incredible contributions and attention to detail! 😎

As always, thank you for your continued support and contributions to the Cerebrate project!

For a detailed list of changes, visit the Cerebrate GitHub repository.

We are excited to announce the release of Cerebrate v1.25! This update includes several new features, enhancements, and bug fixes to improve the overall experience.

New Features:

• UI Enhancements: Country flags have been added in the following sections:
  • Organisations: /organisations/[index/view]
  • Users: /users/[index/view]
    Contributed by Sami Mokaddem

Changes:

• Docker README: Updated PHP version.
  Contributed by Sami Mokaddem
• User Permissions: Refined permission limitations for organisations on the /users/add page.
  Contributed by Sami Mokaddem
• Bookmarks: Improved the handling of malformed content, ensuring the system fails gracefully instead of throwing server errors (500s).
  Contributed by iglocska

Fixes:

• Permission Limitations: Corrected the display of the number of permission limitations for org_group_managers when an organisation they manage lacks users.
  Contributed by Sami Mokaddem
• User Filtering: Added ACL entries for the filtering modal on the users’ index page.
  Contributed by Sami Mokaddem
• UI Fixes: Adjusted the search dropdown width to prevent overflow on large result sets, addressing issues raised by @gallypette and @adulau.
  Contributed by Sami Mokaddem
• Group Admin: Resolved a DatabaseException occurring when a group-admin condition included an empty list of values.
  Contributed by Sami Mokaddem
• Bookmarks: Added additional error handling for malformed bookmark entries.
  Contributed by iglocska

Other:

• Several merges from main and develop branches to keep the codebase up-to-date.
  Contributed by Sami Mokaddem, iglocska, Andras Iklody

This release strengthens the stability and functionality of Cerebrate. Thanks to all contributors for their valuable input!

API improvements

Improvement of meta field usage via the API

Add/Edit endpoints have been updated to accept a simplified format of metafields for easier integration. Metafields are now passed as a list of objects with 4 required keys (field, value, template_uuid and template_version).

An example for adding a user, along with metafields set is as follows:

{
    "individual": {
        "email": "andras.iklody@circl.lu",
        "first_name": "Andras",
        "last_name": "Iklody"
    },
    "username": "andras.iklody@circl.lu",
    "organisation_id": "2",
    "role_id": "3",
    "meta_fields": [
      {
        "field": "perm_misp",
        "value": true,
        "template_uuid": "447ded8b-314b-41c7-a913-4ce32535b28d",
        "template_version": 2
      }
    ]
}

Better error handling

Passing malformed data or not setting the proper media type headers resulted in rather arcane messages, complaining about certain validation errors / missing fields in the provided content. This lead to a fair bit of confusion, so from v1.24 on, if for whatever reason Cerebrate cannot pick up on the contents of a POST/PUT request, it will return a 400 warning the user about malformed / missing post bodies.

Thanks to Paweł Pawliński for testing the API and providing feedback!

Alignments and authoring of individuals

In order to shed the frustrations that were up until now caused by org admins / group admins being able to create Individuals, but not to modify them after the fact, we have modified the behaviour altogether.

Having an alignment to the individual enabled org/group admins to modify individuals and as of v1.24, any individual created by one of them will automatically be aligned with their organisation. This should allow org/group admins to retain authoring right.

Version and links to the Cerebrate-project resources

We have added a link to both Cerebrate-project’s website and the release notes of the current version to a small header text displayed at all times after login, also indicating the currently installed version for easier identification.

New

• [metafield editor permission] added. [iglocska]

  • users/org admins/group admins/community admins can now only modify metafield data on any object if the permission is set for their role
  • Since some communities use this for ACL to secondary tools, this will allow them to restrict who can modify them

Changes

• [version] bump. [iglocska]

Cerebrate - v1.22 (2024-08-24)

New

• [administration] allow group/org admins to edit individuals aligned to their managed orgs. [iglocska]

  • based on alignment

• [permissions] split of admin and community admin. [iglocska]

Changes

• [migration] minor fix for rerunability. [iglocska]

• [version] bump. [iglocska]

• [cleanup] removed older revision of upgrade script. [iglocska]

Fix

• [metafield limitation] fixes. [iglocska]

  • correctly show error messages on user creation when limits are hit
  • fixed a bug that cause users from being uncreatable even due to a hit limitation, even if the current user wouldn’t influence said limitation

• [community admin] fixes. [iglocska]

• [ACL component] fixes. [iglocska]

New

• [extended logger] added. [iglocska]

  • Added more information about the request to the stack traces
  • logs user name / ID
  • logs request x-forwarded-for

Changes

• [tag] bumped. [iglocska]
• [permission limitations] free limitation count when user disabled. [iglocska]
  • Thanks to Elisabeth from BSI for reporting it
• [permission limitations] free limitation count when user disabled. [iglocska]

Fix

• [user add] fixed bug with metafields on new users causing an exception. [iglocska]

• Metafield Restrictions: Not enforced on an edit that doesn’t change the state of the offending value.
  • If a user is already over the limit of a restriction, they should still be editable.

Changes

• Encryption Keys: Listed for organizations and individuals on their respective views. (Fixes #167)
• Dashboard Redirects: To individual models now sort by modified by default.
  • The dashboard shows new entries, making it logical to sort the list based on changes.
  • Small fix to avoid sanitizing index URLs, ensuring multiple query parameters work correctly.

Fixes

• Alignments: Rules relaxed. (Fixes #164)
  • Site admins can add alignments to anyone.
  • Organization admins can add alignments for their own organization members.
  • Group admins can add alignments for any of their managed organization’s members.
• Authkeys: Allow for authkeys with no expiration set. (Fixes #169)
• Authkey Add: Ensure default to expiration=0 if not provided.
• Encryption Keys: Allow for large keys.
• Setting Cerebrate: Enforce debug setting to be true or false.