4.7.2

2025-12-10

patch

This patch release includes important bug fixes for API tracing, login UI, and permission enforcement. Note that the v2 permission enforcement may cause user listing issues for some configurations. Please test user listing operations after upgrade and review the known issues section.

Bug Fixes 3

Add tracing interceptor on connectRPC services (#11147) medium

Fixed missing root span on v2 API requests by adding OTEL tracing interceptor to connectRPC services. REST calls through grpc-gateway worked properly, but direct connectRPC calls lacked proper tracing.

api tracing v2-api
Force v2 permission checks on user listing (#10995, #11178) high

Enforced v2 permission model for user listing operations to address a security vulnerability. This change ensures consistent permission checking regardless of permission v2 setting state.

permissions user-service security
Fix back button on 2FA screen to allow username change (#11125) low

Fixed back button behavior on 2FA pages in login V1 to navigate to login screen instead of default redirect URI. This allows users to change their username during authentication. Also added back button to U2F verification screen for consistency.

login ui 2fa u2f

Contributors 1

L @livio-a

Upgrade Warnings

• ⚠️ We're currently investigating issues where some users cannot list users after the upgrade to this version.
• The v2 permission enforcement on user listing may cause permission denied errors in certain configurations
• Systems running since before v2.68 may experience missing membership roles - consider upgrading to v4.7.3+