Skip to content
Stand with Ukraine flag
Star
 
Pricing Try it now

ThingsBoard v4.2.x Release Notes

← Back to all releases

v4.2.2.2 (May 28, 2026)

Section titled “v4.2.2.2 (May 28, 2026)”

What’s Changed

  • Security

    • #15368 Fixed CWE-770 in Jackson Core by @zzzeebra
    • #15417 Fixed CVE-2026-34487, CVE-2026-34486, CVE-2026-34483 by @zzzeebra
    • #15377 Fixed CVE-2025-70340: system alarm comments access control by @dashevchenko
    • #15466 Fixed multiple CVEs: 2026-39364, 2026-39363, 2026-4800 by @vvlladd28
    • #15538 Fixed CVE-2026-40895 by @mtsymbarov-del
    • #15458 Fixed CVE-2026-5588, CVE-2026-5598, CVE-2025-14813, CVE-2026-35554, CVE-2026-27314 by @zzzeebra
    • #15557 Fixed CVE-2026-40975, CVE-2026-40973, CVE-2026-22740, CVE-2026-42198 by @zzzeebra
    • #15412 Fixed SSRF vulnerability in AI model provider URLs by @zzzeebra
    • #15585 Fixed SSRF and file access vulnerabilities in TBEL script sandbox by @zzzeebra
    • #15588 Fixed CVE-2026-40682, CVE-2026-42027 by @zzzeebra
    • #15598 Fixed CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587 by @ViacheslavKlimov
    • #15600 Hardened remote JS executor script invocation by @smatvienko-tb
    • #15649 Fixed CVE-2026-41284, CVE-2026-43512 by @ViacheslavKlimov

  • Core & Rule Engine

    • #15333 Performance and reliability improvements for Efento message processing by @dashevchenko
    • #15520 Exposed HTTP response compression configuration params by @dashevchenko
    • #15565 LZ4 compression support for Kafka by @volodymyr-babak
    • #15313 Fixed WS sessions limit handling for public users by @dashevchenko
    • #15334 Fixed REST API Call node blocking actor thread and semaphore permit leak by @smatvienko-tb
    • #15457 Fixed entity filtering by boolean data key for EDQS by @dashevchenko
    • #15560 Fixed MAX aggregation for mixed double and long telemetry values by @dashevchenko
    • #15425 Added config property to control null ordering in dashboards by @dashevchenko

  • UI

    • #15330 Bumped Node.js version from 22.18.0 to 22.22.2 by @ViacheslavKlimov
    • #15556 HTML container widget by @ikulikov
    • #15362 Hidden “Add Telemetry” button for Entity view by @mtsymbarov-del
    • #15373 Added ‘@angular/core/rxjs-interop’ to modules map by @vvlladd28
    • #15399 Fixed select options being clipped in widget settings form by @vvlladd28
    • #15408 Fixed display long texts in Alarm assignee panel by @mtsymbarov-del
    • #15423 Fixed Alarm Assignee icon placement by @mtsymbarov-del
    • #15427 Adjusted size of entity type select to fit error message by @mtsymbarov-del
    • #15430 Fixed show/hide of custom header actions when using function to control visibility by @mtsymbarov-del
    • #15433 Fixed not set pageSize to child nodes in Entities hierarchy widget by @mtsymbarov-del
    • #15434 Fixed aggregation keys not being processed in Entities hierarchy widget by @mtsymbarov-del
    • #15531 Fixed map shape labels drifting from center after viewport resize by @mtsymbarov-del
    • #15581 Fixed CSV import not unescaping double quotes in unquoted fields by @ChantsovaEkaterina

  • Transport

    • #15301 Added automatic SSL/TLS certificate reload for transports without service restart by @AndriiLandiak
    • #15451 Fixed app hanging on MQTT port conflict at startup by @zzzeebra
    • #15346 SNMP: defer querying tasks until transport session is registered by @volodymyr-babak

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.2.2.1…v4.2.2.2

v4.2.2.1 (Mar 31, 2026)

Section titled “v4.2.2.1 (Mar 31, 2026)”

What’s Changed

  • Security

    • #15204 Fixed XSS vulnerability in notification center by @vvlladd28
    • #15244 Fixed CVE-2026-24308, CVE-2026-24281 and CVE-2026-24400 by @ViacheslavKlimov
    • #15254 Added configurable security headers and env-var-backed CORS configuration by @ViacheslavKlimov
    • #15253 Fixed SSRF DNS rebinding bypass, added allow-list by @ViacheslavKlimov
    • #15251 Fixed CVE-2026-24281, CVE-2026-24308, CVE-2026-24400, CVE-2026-29063, CVE-2026-29087, CVE-2026-29786, CVE-2026-30827, CVE-2026-31802, CVE-2026-32141, CVE-2026-32635, CVE-2026-27904 by @vvlladd28
    • #15278 Fixed CVE-2026-22731, CVE-2026-22732, CVE-2026-22733, CVE-2026-22737 + Spring Boot 3.5 by @ViacheslavKlimov
    • #15293 Fixed CVE-2026-33228 by @vvlladd28
    • #15315 Fixed CVE-2026-33870, CVE-2026-33871 and GHSA-72hv-8253-57qq by @ViacheslavKlimov
    • #15322 Fixed CVE-2026-33895, CVE-2026-33894, CVE-2026-33896, CVE-2026-33750, CVE-2026-4923, CVE-2026-33671 by @vvlladd28

  • Core & Rule Engine

    • #15262 Sanitize database error messages by @ViacheslavKlimov
    • #14775 Added OTA package data cleanup by @AndriiLandiak
    • #14762 Fixed notification requests and RPC cleanup timeout on large datasets by @AndriiLandiak
    • #14781 Added WS update on telemetry deletion by @dashevchenko

  • UI

    • #15237 Updated locales da_DK, de_DE, el_GR, es_ES, fr_FR, it_IT, ja_JP, nl_NL, no_NO, pt_BR, tr_TR, uk_UA, zh_CN by @vvlladd28
    • #15203 Hidden “Show on widgets” button on sysadmin level by @vvlladd28
    • #15219 Fixed WS reconnect loop and notification spam when session limit is reached by @vvlladd28
    • #15168 Fixed resetting of validation on storeLink property by @mtsymbarov-del
    • #15292 Fixed proxy error handling for 502/503/504 HTTP status codes by @vvlladd28
    • #15273 Fixed string-items-list autocomplete selection and blur handling by @vvlladd28

  • Edge

    • #15205 Support combined PEM cert+key for Edge gRPC SSL by @smatvienko-tb

  • Transport

    • #15143 Fixed LwM2M Redis stores startup: use separate connections for SCAN and GET by @smatvienko-tb

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.2.2…v4.2.2.1

v4.2.2 (Mar 10, 2026)

Section titled “v4.2.2 (Mar 10, 2026)”

What’s Changed

  • Security

    • #15076 Fixed CVE-2026-24734 and CVE-2025-66614 by @ViacheslavKlimov
    • #15079 Fixed CVE-2025-7783, CVE-2026-26996 and CVE-2026-26960 by @vvlladd28
    • #15109 Fixed CVE-2026-27903 and CVE-2026-27904 by @vvlladd28
    • #15123 Added SSRF protection (must be enabled with SSRF_PROTECTION_ENABLED env) by @ViacheslavKlimov
    • #15124 Fixed CWE-770 in Jackson Core (GHSA-72hv-8253-57qq) by @ViacheslavKlimov
    • #15128 Fixed CVE-2026-27970 and CVE-2026-2391 by @vvlladd28
    • Fixed CVE-2026-2781 and CVE-2026-25646 for Docker images by @ViacheslavKlimov and @smatvienko-tb

  • Major UI

    • #14935 Angular 20 migration by @ikulikov

  • Core & Rule Engine

    • #15058 Added Cassandra result set byte-size limit by @ViacheslavKlimov
    • #15078 Fixed TBEL script execution failures on repeated runs by @ViacheslavKlimov
    • #15101 Fixed blocking JPA queries on access-validator single thread by @dskarzh
    • #15100 Fixed preservation of rule node execution counter in delay and deduplication nodes by @dskarzh
    • #15120 Improved Apple OAuth2 mapper and refactored OAuth2 client validation by @ViacheslavKlimov
    • #15102 Fixed infinite loop when rule chain input node forwards to its own rule chain by @smatvienko-tb
    • #15116 Made max WS message size configurable by @DmytroKhylko

  • UI

    • #15130 Extend modules map: moment-timezone, canvas-gauges and ngx-hm-carousel added by @ChantsovaEkaterina
    • #14985 Fixed Redirect Url encoding by @mtsymbarov-del
    • #14978 Fixed Popover placement for Marker, Polygon and Circle overlay config by @mtsymbarov-del
    • #15018 Fixed adaptive in mail server configuration by @vvlladd28
    • #15071 Fixed a race condition causing the toast component by @mtsymbarov-del
    • #15097 Fixed a race condition when init image map by @mtsymbarov-del
    • #15142 Removed pattern validation from name field on CF by @mtsymbarov-del

  • Transport

    • #14760 Fixed Sparkplug BIRTH message validation for metrics with empty string values by @nickAS21

  • Edge

    • #15050 Event-sourced propagation for admin settings by @volodymyr-babak

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.2.1.2…v4.2.2

v4.2.1.2 (Feb 3, 2026)

Section titled “v4.2.1.2 (Feb 3, 2026)”

What’s Changed

  • Security

    • Fixed CVE-2025-68973, CVE-2025-6020, CVE-2025-13601, CVE-2025-69420, CVE-2026-21945, CVE-2025-69419 and CVE-2026-21932 for Docker images by @ViacheslavKlimov and @smatvienko-tb
    • #14865 Fixed CVE-2026-22610 by @vvlladd28
    • #14729 Fixed CVE-2025-15284 by @vvlladd28

  • Core & Rule Engine

    • #14743 Added Redis ACL (username) authentication support by @AndriiLandiak
    • #14728 Fixed invalid finish ts for jobs with zero tasks in task manager by @ViacheslavKlimov
    • #14564 Fixed entity data query for sysadmin by @dashevchenko
    • #14631 Fixed partition cleanup for non-public PostgreSQL schemas by @AndriiLandiak
    • #14792 Fixed SMS usage state when disabled in tenant profile by @dashevchenko
    • #14751 Fixed unnecessary database updates for disabled users during failed login by @AndriiLandiak

  • Transport

    • #14645 Fixed NPE for LwM2M client context after reboot by @nickAS21
    • #14748 Fixed CoAP Unicast/Multicast MID Conflict and Silent ACK Rejection by @nickAS21

  • UI

    • #14614 Fixed LwM2M bootstrap toggle not persisting “Add Bootstrap config” button state by @mtsymbarov-del
    • #14746 Fixed map action panel hide when switching to another data layer by @vvlladd28
    • #14804 Fixed opening tenant profile autocomplete when “Create new” button is clicked by @mtsymbarov-del
    • #14802 Fixed country autocomplete autofill and improved validation by @vvlladd28
    • #14903 Fixed missing ’%’ character in alias help text by @mtsymbarov-del
    • #14895 Fixed padding in Range Chart and Bar Chart with label widgets when overlay enabled by @mtsymbarov-del
    • #14922 Fixed errors when public user views alarm comments by @mtsymbarov-del

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.2.1.1…v4.2.1.2

v4.2.1.1 (Dec 24, 2025)

Section titled “v4.2.1.1 (Dec 24, 2025)”

Patch release with the following bug fixes:

What’s Changed

  • Core & Rule Engine

    • #14211 Fixed redundant credentials update event and device reconnect on bulk import by @AndriiLandiak
    • #14235 Added validation that prohibits last tenant admin deletion by @dashevchenko
    • #14062 Fixed check of pre-provisioned devices by @dashevchenko
    • #14179 Fixed firmware update when the OTA package has a URL instead of a file by @dashevchenko
    • #14209 Fixed error when using resources and templatization with GitHub Models AI provider by @dashevchenko
    • #14245 Fixed some tenant admins not displayed in related group with EDQS by @dashevchenko
    • #14457 Fixed XSS vulnerability for some entities by @dashevchenko
    • #14487 Fixed invalid alarm status subscription updates by @dashevchenko
    • #13836 Fixed NPE when evaluating dynamic duration rules in device profile node by @dskarzh
    • #14244 Improved support of customer-owned entities in customer attributes and change originator rule nodes by @dskarzh
    • #14467 Updated AI models autocomplete options by @dskarzh
    • #14195 Fixed incorrect CF calculation when same key is used across multiple arguments by @irynamatveieva
    • #14526 Fixed timestamp handling for calculated field arguments with missing telemetry by @irynamatveieva
    • #14623 Fixed processing of telemetry batch in calculated fields by @irynamatveieva
    • #14499 Fixed last update ts handling for CF arguments by @ShvaykaD
    • #14536 Fixed key dictionary race condition causing Hibernate to cache zero keyId in cluster mode by @ShvaykaD
    • #14264 Improve task cancellation handling in task manager by @ViacheslavKlimov
    • #14479 Fixed vulnerabilities by @ViacheslavKlimov
    • #14572 Fixed and improved CF states restore by @ViacheslavKlimov
    • #14587 Fixed Kafka topics cache by @ViacheslavKlimov

  • Transports

    • #14327 Fixed occasional application startup failure due to SNMP transport init by @artem-barysh-dev
    • #14407 Added ACK when Gateway connect goes wrong by @artem-barysh-dev
    • #14241 Fixed firmware update by URL for LwM2M by @nickAS21
    • #14294 Fixed observe after reboot without unregistration for LwM2M by @nickAS21
    • #14403 Fixed NPE after reboot if sleep for LwM2M by @nickAS21
    • #14624 Fixed tb-node startup when MQTT SSL enabled but MQTT transport disabled by @smatvienko-tb

  • Edge

    • #14461 Fixed customer unassignments in the dashboard during edge event processing by @MazurenkoNick
    • #14613 Fixed events from different edges being mixed together in one queue by @MazurenkoNick
    • #14425 Fixed dead Kafka consumer groups causing Edge sync failures by @volodymyr-babak
    • #14616 Fixed infinite loop on Edge Kafka consumer commit failure by @volodymyr-babak

  • UI

    • #14481 Fixed check connectivity request for AI models by @ArtemDzhereleiko
    • #14396 Fixed TinyMCE out-positioned image source by @deaflynx
    • #14377 Fixed JS module file encoding to include handling of special symbols by @DmytroKhylko
    • #14134 Fixed filtering entity and alarm tables by @LeoMorgan113
    • #14022 Fixed validation for “Email” fields by @mtsymbarov-del
    • #14048 Added ability to access logout button when hide toolbar option is enabled on dashboard by @mtsymbarov-del
    • #14085 Fixed dialogs adjusting to the screen resolution by @mtsymbarov-del
    • #14091 Added support for custom translations in LED Indicator widget title by @mtsymbarov-del
    • #14092 Fixed i18n custom translation in Attributes Card widget in data post-processing function by @mtsymbarov-del
    • #14140 Fixed widget entity alias empty entity list field by @mtsymbarov-del
    • #14143 Added alarm type list key translations by @mtsymbarov-del
    • #14151 Added support for custom translations in the dashboard user filters dialog by @mtsymbarov-del
    • #14185 Added draggable overlay option on map widget settings by @mtsymbarov-del
    • #14248 Fixed misspelling in Entity views Time series data section by @mtsymbarov-del
    • #14261 Fixed subscriptSizing of phone input by @mtsymbarov-del
    • #14296 Fixed typo in get queue statistics request method by @mtsymbarov-del
    • #14297 Fixed deleted user IDs remaining in Notification recipient user list by @mtsymbarov-del
    • #14298 Fixed parse function calling for control widgets by @mtsymbarov-del
    • #14569 Fixed profile saves triggers the saved configuration without changes by @mtsymbarov-del
    • #14615 Fixed mutation in mergeDeepIgnoreArray function by @mtsymbarov-del
    • #14392 Fixed incorrect error height of timeout message by @vvlladd28
    • #14243 Updated Lietuvių (Lithuanian) translation by @vvlladd28
    • #14254 Added show GitHub button to main toolbar by @vvlladd28
    • #14443 Fixed show duration in alarm details dialog by @vvlladd28
    • #14480 Fixed vulnerabilities by @vvlladd28
    • #14574 Updated translations by @vvlladd28

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.2.1…v4.2.1.1

v4.2.1 (Oct 15, 2025)

Section titled “v4.2.1 (Oct 15, 2025)”

Minor release with the following bug fixes and improvements:

What’s Changed

  • Core & Rule Engine

    • #14068 AI Request Node: ability to attach files by @dashevchenko
    • #14014 AI models: support for local AI models via Ollama by @dskarzh
    • #14076 AI models: ability to change base URL to OpenAI by @dskarzh
    • #14131 Fixed vulnerabilities by @ViacheslavKlimov

  • UI

    • #14072 Added ‘General’ resource type and entity list for AI rule node by @ArtemDzhereleiko
    • #14066 Added support for UTF-8 symbols in export file name by @vvlladd28
    • #13373 Added tooltip settings option to also show total value in stacked timeseries charts by @pgrisu
    • #13350 Latest chart widgets: added setting to show total value in legend by @pgrisu
    • #14083 Markdown widget: hide unused data settings block in configuration by @vvlladd28

  • Bug Fixes

    • #14037 Fixed API usage cycle reset by @dashevchenko
    • #13941 Fixed occasional duplicated CF evaluations after TB restart by @irynamatveieva
    • #14046 Fixed missing entity values in exported alarm data widget by @dashevchenko
    • #14081 Fixed hidden options displaying when switching between Realtime and History in Timewindow by @ChantsovaEkaterina
    • #13952 Fixed AI models help link by @ArtemDzhereleiko
    • #13898 Fixed response format issue for AI rule node by @ArtemDzhereleiko
    • #14027 Fixed XSS vulnerabilities in the Rule node by @mtsymbarov-del
    • #13948 Fixed user name field retrieval in EDQS by @dashevchenko
    • #14070 Fixed PUBACK not sent if publishing failed or duplicated if message contains multiple devices by @dashevchenko

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.2…v4.2.1

v4.2.0 (Aug 15, 2025)

Section titled “v4.2.0 (Aug 15, 2025)”

Major Improvements

  • Core & Rule Engine

    • #13371 🧠 Added AI request rule node by @dskarzh and @ArtemDzhereleiko
    • #13556 📊 Added entity and key filters support for alarm count query by @dashevchenko
    • #13747 🔒 Updated libraries to fix critical and major vulnerabilities by @ViacheslavKlimov

Minor Improvements

  • Core & Rule Engine

    • #13741 Improved Create Alarm rule node to process message asynchronously by @dskarzh
    • #13607 Improved EDQS with ability to reply with error details by @AndriiLandiak
    • #13827 Optimized Redis pool latency by reducing excessive pings by @pon0marev
    • #13562 Added Version Control support for OTA packages by @AndriiLandiak
    • #13692 Made script compilation errors unrecoverable during rule node initialization by @dskarzh

  • UI

    • #13745 Added help links for rule engine action nodes by @vvlladd28
    • #13795 Added missing services and models to public-api by @ChantsovaEkaterina
    • #13679 Improved mobile app configuration dialog: replace manual setup with JSON config file by @vvlladd28
    • #13778 Improved UX for Disable on property selection in dynamic forms settings by @vvlladd28
    • #13670 Improved help-popup container style by @vvlladd28
    • #13680 Improved Mobile center Applications form label by @deaflynx
    • #13783 Improved Notification Template Autocomplete: Fixed editing issues and added “Create new” option by @ArtemDzhereleiko
    • #13813 Refactored dashboard state management by @vvlladd28

  • Transport

    • #13701 Implemented MQTT client ID length validation based on protocol version by @AndriiLandiak
    • #12502 Implemented support of Sparkplug version 3.0 by @nickAS21

  • Edge

    • #13651 Added per-edge statistics by @jekka001

Bug fixes

  • Core & Rule Engine

    • #13763 Fixed alarms cleanup when originator (other than device or asset) is deleted by @AndriiLandiak
    • #13788 Fixed EDQS queries for tenant’s telemetry saved by sysadmin by @dashevchenko
    • #13751 Fixed EDQS entity field filter for numeric values saved as string by @dashevchenko
    • #13799 Fixed topics creation for isolated tenants by @ViacheslavKlimov
    • #13868 Fixed CF arguments casting Long to Integer to avoid truncation by @irynamatveieva
    • #13669 Fixed no type-cast for attributes when adding from UI by @ViacheslavKlimov
    • #13777 Fixed handling of RPC with missing additional info in cluster mode by @ShvaykaD

  • UI

    • #13804 Fixed alias relations query bug preventing ‘Not’ filter from being edited after creation by @vvlladd28
    • #13746 Fixed CVE-2025-7783 vulnerability by @vvlladd28
    • #13772 Fixed calculated field argument settings popover position on argument type change by @vvlladd28
    • #13727 Fixed Math Function node showing 0 in the “Argument default value” field by @vvlladd28
    • #13725 Fixed minor bug in mobile center by @vvlladd28
    • #13748 Fixed race condition in EntitiesDataSource loadEntities by cancelling previous requests by @vvlladd28
    • #13770 Fixed incorrect card padding for title in single switch widget by @vvlladd28
    • #13771 Fixed error message in Alarm widget preview when opening Assign field dropdown by @vvlladd28
    • #13758 Fixed OAuth2 redirect URI field appearing enabled in view mode by @vvlladd28
    • #13761 Fixed Trendz settings not updating without page refresh by @yuliaklochai
    • #13720 Fixed incorrect ObjectId version resolution in LwM2M telemetry send without observe by @nickAS21
    • #13681 Fixed scrolling for long file name OTA updates package form by @deaflynx
    • #13682 Fixed rewriting of dashboard duplicate state with same ID by @deaflynx
    • #13635 Fixed Version Control result popover with long error message by @ArtemDzhereleiko
    • #13663 Fixed style for custom action editor by @LeoMorgan113
    • #13782 Fixed incorrect font rendering in SCADA symbols preview by @ArtemDzhereleiko
    • #13780 Fixed line width for cross connector HP SCADA symbol by @ArtemDzhereleiko
    • #13797 Fixed API usage state display value and added ellipsis to entity list and subtype list chip by @ArtemDzhereleiko
    • #13798 Fixed widget preview height in widget type autocomplete by @ChantsovaEkaterina
    • #13598 Fixed material autocomplete hasBackdrop by @ArtemDzhereleiko

  • Transport

    • #13754 Fixed MQTT client disconnect by @artem-barysh-dev
    • #13689 Fixed consuming wrong rate limit for devices connected via gateway by @imbeacon

New Contributors

  • #13722 @Yatharth0045 made their first contribution

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.1…v4.2

© 2026 The ThingsBoard Authors