✋ Heads-ups

The heads-ups from 1.11.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

🔒 Explicitly configure whether to use shell mode for your system event subscriptions

OctoPrint 1.11.3 introduces a new shell parameter on type: system commands that allows to specify whether the command should be run in a shell (true, currently the default) or directly (false, the future default).

Running commands in a shell has security implications as a misconfigured command with placeholders coming from external, potential untrusted sources can lead to arbitrary command execution. However, running commands in a shell also allows for more powerful scripting and also access to the shell’s environment, making it often unnecessary to set the full paths of commands that are supposed to be run.

OctoPrint so far has been running system commands defined in event hooks within a shell. Starting with OctoPrint 1.11.3, OctoPrint will log a message to octoprint.log when it encounters a system hook that hasn’t yet explicitly configured shell, and default to enabling shell mode. From 1.13.0 onward, this behaviour will change, and OctoPrint will default to not enabling shell mode in such cases, to further reduce the attack surface.

You should make an explicit decision now. Try to make your commands work without having to enable shell mode, and thoroughly vet your commands and parameter processing if you have to enable shell mode.

The bundled Event Manager's UI has been adjusted to allow you to configured the shell parameter.

🔥 Switch to Application Keys, the global API key will be removed in 1.13.0

The global API key has been deprecated for a long time now. So far the deprecation notice said it would be removed in OctoPrint 2.0, however this now has been rescheduled to OctoPrint 1.13.0.

OctoPrint 1.12.0 will prepare this removal further and ship with a new health check enabled that will detect if you have a global API key set. OctoPrint 1.13.0 will then remove it altogether.

Instead of using the global key you should create individual Application Keys for your third party clients. That way they get permissions matching the user account used for key creation and you can also revoke access to one app without having to change the keys for all other apps. It's also recommended to create a user account without admin access and use that for third party clients where possible.

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

• RCE in OctoPrint via Unsanitized Filename in File Upload, severity High (7.5): OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered.

  If no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact.

  See also the GitHub Security Advisory and CVE-2025-58180

Minor Security fixes

• #5169: Got rid of unused and unneeded cookie setter functionality in LargeResponseHandler as it could be used to break returned responses through used input.

✨ Features & improvements

Application Keys Plugin

• Added a new CLI command to trigger the appkey request workflow, see octoprint plugin appkeys:request-key --help for details.

Event Manager Plugin

• Allow configuring whether to enable shell mode on a system event hook.
• Slight UI changes to improve UX.

Healthcheck Plugin

• New healthcheck to check for deprecated global API key being set and possibly used, disabled for now, will be enabled with 1.12.0

🐛 Bug fixes

Core

• #5177: Removed an unwanted side effect on HierarchicalChainMap._unflatten that could make it impossible to reset the run-time value of a dict-based setting back to an empty dict.
• Got rid of any uses of the cgi module, which has been deprecated for a while now and removed from Python 3.13+.
• Added a note that the global API key will be removed with the release of OctoPrint 1.13.0.
• Pinned the psutil dependency to version 6.0.0 to work around a problem with its builds available on piwheels.

Application Keys Plugin

• #5170: Fix access request handling on newly opened page

Upload Manager Plugin

• Use proper name for filesViewModel instead of deprecated name gcodeFilesViewModel.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

Also a big thank you to @prabhatverma47 for responsibly disclosing the security vulnerabilities fixed in this release.

🔗 More information

• Commits
• Release candidates:
  • As this is a bugfix release, there were no release candidates

✋ Heads-ups

The heads-ups from 1.11.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

🧩 SimpleApiPlugins can now opt-into enforced authentication on their endpoints, a future version of OctoPrint will require an opt-out to prevent this

Starting with OctoPrint 1.11.2, OctoPrint now ships with a new method SimpleApiPlugin.is_api_protected on its SimpleApiPlugin mixin that, similar to the long existing BlueprintPlugin.is_blueprint_protected, tells OctoPrint whether some basic authentication enforcing should be done by OctoPrint on its endpoints or not.

For now, this method by default will return False, effectively keeping the current behaviour of plugins having to implement their own authentication in SimpleApiPlugin.on_api_get and SimpleApiPlugin.on_api_command. However, this behaviour will change in a future version of OctoPrint (current plan is 1.13.0) to return True instead, effectively enforcing some basic user authentication on all SimpleApiPlugins.

Plugin authors should adjust their plugins now and explicitly opt-into protection by implementing is_api_protected liek this:

def is_api_protected(self):
    return True

If this does not work with their plugin, they should explicitly opt out by returning False here (and implement their own authentication as needed).

Plugins that have not yet explicitly implemented the above method will cause a warning to be logged in octoprint.log.

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

• File exfiltration possible via upload endpoints, severity Moderate (5.4): OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from.

  The primary risk lies in the potential exfiltration of secrets stored inside OctoPrint's config, or further system files. By removing important runtime files, this could also be used to impact the availability of the host. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal in most cases.

  See also the GitHub Security Advisory and CVE-2025-48067

• Denial of Service through malformed HTTP request in OctoPrint, severity Moderate (6.5): OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server.

  See also the GitHub Security Advisory and CVE-2025-48879

Minor Security fixes

• Core: Only allow bypassing CSRF protection with a provided API key. Before, OctoPrint would also disable CSRF protection if there was absolutely no session context (e.g. a manual curl request). Also added some E2E tests for that.
• Application Keys Plugin: Added a strong warning to the application keys dialog that allowing an app to create an appkey will give it the user's permissions. Also added the remote address from which the appkey request is coming from.
• Application Keys Plugin: Added a rate limit on the app keys request endpoint, to reduce the likelihood of an attacker on the local network spamming the instance with requests that the user then might accidentally allow.

✨ Features & improvements

Core

• #5158: Pinned the third-party Click dependency to anything but 8.2.0 as that has a bug in how it parses boolean flags, leading to issues with e.g. octoprint user add --admin not working when it is installed.
• Added a new decorator BlueprintPlugin.limit to decorate endpoints with a rate limiter.
• Added a method SimpleApiPlugin.is_api_protected to query whether the API endpoints should have some basic authentication added by OctoPrint, similar to BluePrintPlugin.is_blueprint_protected. For now this method will return False (and log a warning to octoprint.log, prompting plugin authors to implement it explicitly). In a future OctoPrint version - current plan is 1.13.0 - this will default to True, enforcing basic protection on all SimpleApiPlugin implementations. See also the corresponding heads-up above.

CI

• Now building PEP625 confirming sdists & wheels, and no longer building deprecated universal wheels.

🐛 Bug fixes

Core

• #5156: Fix 403 errors triggered by access_validation_factory due to missing permissions getting turned into HTTP 500.
• #5161: Fixed the Reverse Proxy Test page not working when pydantic 1.x is installed (Python 3.7).
• Made octoprint dev plugin:install work with setuptools >= 80.x and legacy plugin packaging.
• Fixed a typo in an internal method call causing plugin loading errors for specific packaging scenarios.
• Fixed escaping of whitespace for native grep calls.

Upload Manager Plugin

• #5162: Fixed sorting by "last printed date".

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

Also a big thank you to @jacopotediosi for responsibly disclosing the security vulnerabilities fixed in this release.

🔗 More information

• Commits
• Release candidates:
  • As this is a bugfix release, there were no release candidates

✋ Heads-ups

The heads-ups from 1.11.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

Minor Security fixes

• Core: Thanks to some issues with certain third party translations it was discovered that autoescape doesn't affect strings loaded from translations, specifically any single or double quotes contained therein. Consequently, all places in OctoPrint's template files have been manually escaped using the existing filters edq (for double quoted strings) and esq (for single quoted strings). I will check if it's possible to also add some kind of autoescaping (with manual safe marking) there in a future version, so plugin authors should follow future release notes closely (as always).

✨ Features & improvements

Core

• #5144: The confirmation dialog when deleting a file can now be disabled. See Settings > Features.
• #5145: Protect against potential misconfiguration of the reauthentication timeout by making sure it's always >= 0 when checking against it.
• #5153: It has been made clearer in octoprint.log when the connectivity check is disabled.

🐛 Bug fixes

Core

• #5149: Fixed a logic error causing connection issues with printers such as Prusa MK3(s) when "wait for start on connect" is disabled.
• #5151: Fixed a validation error in the comm layer causing a deadlock when trying to connect while there are no serial ports available. Also disabled the connect button when no serial ports are available. The autorefresh in the background that has now been built-in since OctoPrint 1.9.0 should make sure this isn't a big behaviour change. However, in case that you need to refresh the available ports manually you can always use the little reload button on the header of the connection panel.

Achievements Plugin

• #5148: Fixed the description of the "The Tinkerer" achievement.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

🔗 More information

• Commits
• Release candidates:
  • As this is a bugfix release, there were no release candidates

✋ Heads-ups

☝️ OctoPrint 1.11.x is the last OctoPrint to support Python 3.7 and 3.8

Python 3.7 has now been EOL since June 27th 2023, and the maintenance overhead caused by still having to support it is becoming unfeasible. Python 3.8 has now been EOL since October 31st 2024, and it is to be expected that the maintenance overhead will further rise due to that.

As a consequence, OctoPrint 1.11.x is the final OctoPrint version to support both Python 3.7 and 3.8. OctoPrint 1.12.0+ will require at least Python 3.9.

How do you know if you will be affected and need to update? A newly added healthcheck mechanism has been added that will now alert you if your environment is outdated and about to be left behind, and a new FAQ entry is in place to help you figure out how to update your runtime environment.

This will be kept updated, so that you will also receive early warnings about future deprecations this way.

🧩 OctoPrint will now auto-escape all internal templates, plugin authors should opt-in as well!

Starting with OctoPrint 1.11.0, OctoPrint will ship with auto-escaping all injected template variables and other included expressions in its template system. For 1.11.0 and 1.12.0, this will only be done for bundled plugins and those third party plugins that have opted into autoescaping. Starting with OctoPrint 1.13.0 however, third party plugins will have to opt out in order to not have autoescaping enabled on their templates.

A new entry has been added to the FAQ that has further details.

🧩 WebcamProviderPlugin.take_webcam_snapshot has gotten its parameters fixed

If you are the maintainer of a third party plugin using the WebcamProviderPlugin mixin and have implemented its take_snapshot method, be advised that an implementation error in OctoPrint has been fixed and the implementation aligned with the documentation: the method will now be called with the webcamName parameter being a string containing the name of the requested webcam, as documented, not a full webcam configuration object as previously wrongly implemented.

Changes

🔒 Security fixes

• Severity Moderate (4.3): It was possible to bypass the login redirect and directly access the rendered HTML of certain frontend pages. This was caused by the use of a custom HTTP header that would disable the login redirect on preemptive caching of the frontend HTML, which was not properly stripped from incoming request, thus allowing the same behaviour through manipulating the headers of the requesting browser.

  The impact on data exposure was minimal because, typically, data is loaded via API requests that correctly enforce user authentication. In the current codebase, cases where data is directly embedded in the page content are rare. However, one notable exception is the authenticated variant of the reverse proxy test page, which displays the IP addresses of configured reverse proxies.

  This has now been fixed by removing the header altogether and implementing the login bypass differently with purely internal flagging.

  See also the GitHub Security Advisory and CVE-2025-32788

✨ Features & improvements

Core

• #833: Added a confirmation to the file delete button in the file list. Bulk deletions can still be done easily via the newly added Upload Manager Plugin, see below.
• #1313: Added an option for whether to automatically render captured timelapses. Timelapses can now be set to never render automatically, only in case of a successful or only in case of a failed print, and of course also always (the previous behaviour). See also PR#4994.
• #4864: Added Prusa MMU commands M707 and M708 to default list of commands that should never be auto-uppercased when sent to the printer through the terminal tab. See also PR#5015.
• #4932: Added support for multi factor authentication (MFA) schemes to OctoPrint's login mechanism. A new plugin type MfaPlugin allows to hook into that through plugins. A first plugin utilizing that plugin type to implement TOTP authentication can be found at OctoPrint/OctoPrint-MfaTotp and is now also available on the plugin repository!
• #4968: Removed octoprint.server.(loginFromApiKeyRequestHandler|loginFromAuthorizationHeaderRequestHandler) as they were no longer used and undocumented.
• #4973: Include stack traces with fatal errors. Also make InvalidYaml exceptions more helpful by including the full message from the triggering YAMLError. Also switch to using FATAL instead of ERROR for startup error logging.
• #4990: Made @ commands case insensitive.
• #5018: Added support to specify the current extruder as tool for a new target temperature on the API. See also PR#5022.
• #5036: To make the configuration of trusted (reverse) proxies less confusing and error prone, the server.reverseProxy.trustedDownstream has been renamed to server.reverseProxy.trustedProxies and an additional flag server.reverseProxy.trustLocalhostProxies has been added that will ensure that reverse proxies on localhost will always be trusted if set. A configuration migration is in place to automatically migrate existing configurations to these two new settings.
• #5063: Added a configurable delay to wait for after print completion & before rendering the just recorded timelapse. If a new print is started while this timer is running, OctoPrint will now enqueue the timelapse for later rendition during idle time. OctoPrint will only start rendering if after the timer has elapsed no new print has been started.
• #5068: OctoPrint will now recognize .gc~ as a valid GCODE extension.
• #5072: The search bar has been extended to support an additional user: filter to filter for files uploaded by certain users. Consequently, the core has been adjusted to store the uploading user in the file's metadata, which so far wasn't the case.
• #5079: Clarified the wording of the "tool doesn't exist" message.
• #5059: Added an option to allow suppressing the second "hello" command during printer connection initialization.
• PR#5029: Migrated the code to Pydantic 2.x under Python 3.8+. Since OctoPrint 1.11.0 will be the final version to still support Python 3.7, also added a compatibility layer to be able to use the Pydantic 2.x API under Python 3.7 with Pydantic 1.
• PR#5054: Fixed two comma splices.
• PR#5060: Support assigning mapped groups to users based on specific HTTP headers. This is to allow external authentication mechanisms to be put in front of OctoPrint and allow them to be used without manual group assignment in OctoPrint being required on each new user.
• Refactored the plugin interface to use importlib instead of the outdated vendored imp.py to detect installed plugins from entrypoints.
• Added some more aliases for the recovery page and the reverse proxy test page. You may now also find the recovery page under /recovery, /rescue/ and /rescue on top of its canonical /recovery/, and the reverse proxy test page under /reverse_proxy_test, /reverse_proxy_check[/], /reverse-proxy-test[/], /reverse-proxy-check[/], /proxy_test[/], /proxy-test[/], /proxy_check[/] and /proxy-check[/] on top of the canonical /reverse_proxy_test/.
• Switched to ruff for linting & formatting of the code base.
• Refactored the code base to get rid of any pkg_resources dependencies, switching over the plugin core system to more modern libraries in the shape of importlib and packaging.
• Added auto-discovery of common plugin assets following the naming scheme <type>/<identifier>.<ext> in the AssetPlugin mixin.
• Ensured that Tornado errors end up in octoprint.log.
• Enabled auto-escape of template variables for all of OctoPrint's internal templates, those in bundled plugins and those in third party plugins that have opted into auto-escaping. With OctoPrint 1.13.0, this will become the default! Please also see the heads-up above.
• Added support for disabling the warnings about serial.log and/or plugin_timings.log being active by setting plugins.logging.serial_log_warning and/or `plugins.logging.plugi...

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

Things to take a closer look at

For this RC, these things should get a closer look while testing, if possible:

• proper behaviour when using the included web interface as well as any third party clients at your disposal
• the newly added Custom Control Manager plugin
• the newly added Health Check plugin
• the newly added Upload Manager plugin
• the MFA-TOTP plugin using the new MFA plugin interface
• timelapse creation, especially with a configured rendering delay
• remember me functionality

✋ Heads-ups

The heads-ups from 1.11.0rc1 still apply!

🐛 Bug fixes

Core

• #5132 (regression): Fix session keepalive not getting started. Side effect of the fix of #5125.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this RC and provided full, analyzable bug reports.

🔗 More information

• Commits

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

Things to take a closer look at

For this RC, these things should get a closer look while testing, if possible:

• proper behaviour when using the included web interface as well as any third party clients at your disposal
• the newly added Custom Control Manager plugin
• the newly added Health Check plugin
• the newly added Upload Manager plugin
• the MFA-TOTP plugin using the new MFA plugin interface
• timelapse creation, especially with a configured rendering delay
• remember me functionality

✋ Heads-ups

The heads-ups from 1.11.0rc1 still apply!

🐛 Bug fixes

Core

• #5125 (regression): Fix reauthentication logic to not log out on reauth. This is actually not a real regression and was present in 1.10.x as well, but changes in 1.11.0 made it almost always trigger vs almost never on 1.10.x (due to some race condition), so it feels like a regression and needed fixing in the RC phase.
• Fix a redirect path traversal bug in validate_local_redirect. This in theory could have been abused by some manipulated link to redirect a login to a path on the same server as OctoPrint beyond those marked as safe, e.g. a malicious plugin or an external app on another path. Not a regression, but better fix this now than later. Thanks to @jacopotediosi for the discovery and the suggested fix.

Error Tracking Plugin

• (regression) Silence some Sentry log spam
• (regression) Fix an issue in the ignored exception filter causing no errors to be reported

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this RC and provided full, analyzable bug reports.

🔗 More information

• Commits

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

Things to take a closer look at

For this RC, these things should get a closer look while testing, if possible:

• proper behaviour when using the included web interface as well as any third party clients at your disposal
• the newly added Custom Control Manager plugin
• the newly added Health Check plugin
• the newly added Upload Manager plugin
• the MFA-TOTP plugin using the new MFA plugin interface
• timelapse creation, especially with a configured rendering delay
• remember me functionality

✋ Heads-ups

The heads-ups from 1.11.0rc1 still apply!

🐛 Bug fixes

Core

• #5121 (regression): Fix spamming of requests against /api/files/sdcard/<path> on selecting a file on the printer's SD card. Also added E2E tests for selecting both local and printer-side files.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this RC and provided full, analyzable bug reports!

🔗 More information

• Commits

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

Things to take a closer look at

For this RC, these things should get a closer look while testing, if possible:

• proper behaviour when using the included web interface as well as any third party clients at your disposal
• the newly added Custom Control Manager plugin
• the newly added Health Check plugin
• the newly added Upload Manager plugin
• the MFA-TOTP plugin using the new MFA plugin interface
• timelapse creation, especially with a configured rendering delay
• remember me functionality

✋ Heads-ups

The heads-ups from 1.11.0rc1 still apply!.

🐛 Bug fixes

Core

• #5115: Auto discovered assets for the AssetPlugin mixin would be returned containing \ under Windows, leading to 404s when attempting to load them in the browser. This auto discovery is a new feature added in 1.11.0 (used by the bundled Health Check plugin) and thus this was not a regression, but rather a bug in newly added functionality.
• #5116: Fix a bug with handling JS errors in the webasset bundler.
• #5117 (regression): Fix warnings logged to the browser console due to mistakes made when upgrading to Font Awesome 6.5.1.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this RC and provided full, analyzable bug reports, and especially to @Hillshum for their PR!

🔗 More information

• Commits

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

Things to take a closer look at

For this RC, these things should get a closer look while testing, if possible:

• proper behaviour when using the included web interface as well as any third party clients at your disposal
• the newly added Custom Control Manager plugin
• the newly added Health Check plugin
• the newly added Upload Manager plugin
• the MFA-TOTP plugin using the new MFA plugin interface
• timelapse creation, especially with a configured rendering delay
• remember me functionality

✋ Heads-ups

The heads-ups from 1.11.0rc1 still apply!.

✨ Features & improvements

Health Check Plugin

• #5110: Allow to mark reported health check issues as read.

🐛 Bug fixes

Core

• #5105 (regression): Fix the "Remeber me" functionality
• #5109: Fix octoprint.systemcommands.SystemCommandManager.has_(server_restart|system_restart|system_shutdown)_command not returning False for empty commands. Not a regression, but a small enough fix to still include in 1.11.0.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this RC and provided full, analyzable bug reports.

🔗 More information

• Commits

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

Things to take a closer look at

For this RC, these things should get a closer look while testing, if possible:

• proper behaviour when using the included web interface as well as any third party clients at your disposal
• the newly added Custom Control Manager plugin
• the newly added Health Check plugin
• the newly added Upload Manager plugin
• the MFA-TOTP plugin using the new MFA plugin interface
• timelapse creation, especially with a configured rendering delay

✋ Heads-ups

The heads-ups from 1.11.0rc1 still apply!.

✨ Features & improvements

Core

• Improved Tornado and CSRF failure logging.

🐛 Bug fixes

Core

• #5098 & #5100 (regression): Fixed permission fetch and login_mechanism setting for incoming requests with API keys. This solves the problem with all requests with an API key being responded to with an HTTP status of 403, and any API key based requests not using GET, HEAD or OPTIONS methods with a CSRF validation failure and thus an HTTP Status of 400, breaking communication with most third party clients.
• #5099 (regression): Fixed templating macros being broken for third party plugins not supporting autoescaping.

Custom Control Manager

• #5096: Fixed rendering of horizontal_grid custom control type.
• #5097: Added missing width/offset configuration.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this RC and provided full, analyzable bug reports.

🔗 More information

• Commits

Full Changelog: 1.11.0rc1...1.11.0rc2