v0.66.0

Release Notes for v0.66.0

🚀 New Feature: netbird expose

We're excited to introduce netbird expose --- a simple and secure way to expose your local services through the NetBird reverse proxy.

⚡ Expose Local Services with Protection

Expose a local HTTP server:

netbird expose 8080

This instantly publishes your local service via NetBird's reverse proxy.

You can enhance the exposure with built-in protection and customization:

🔐 With PIN protection (6 digits)

netbird expose 3000 --with-pin 123456

🔑 With password protection and name prefix

netbird expose 8080 --with-password my-secret --with-name-prefix my-app

👥 Restrict by SSO user groups

netbird expose 8080 --with-user-groups engineering,devops

🌐 Use a custom domain (pre-configured in your account)

netbird expose 8080 --with-custom-domain app.example.com

Supported Flags

• --with-pin string --- Protect the exposed service with a 6-digit
  PIN\
• --with-password string --- Add password protection\
• --with-user-groups strings --- Restrict access to specific user
  groups\
• --with-custom-domain string --- Specify a custom domain\
• --with-name-prefix string --- Prefix the generated service name\
• --protocol string --- Protocol to use (http or https, default
  http)

⚠️ NetBird Cloud support is coming soon with hosted proxy nodes. ⚠️

Learn more at: https://docs.netbird.io/manage/reverse-proxy/expose-from-cli

Or watch the video below:

Client Improvements

• Stopped upstream retry loop immediately on context cancellation.
  #5403
• Fixed busy-loop in network monitor routing socket on macOS/BSD.
  #5424
• Fixed missed sleep/wakeup events on macOS.
  #5418
• Removed connection semaphore to simplify connection handling.
  #5419
• Skipped UAPI listener in netstack mode.
  #5397
• Simplified DNS logging by removing domain list from log output.
  #5396
• Excluded Flow domain from caching to prevent TLS failures.
  #5433
• Added non-default socket file discovery support.
  #5425

Client Service Expose

• Introduced client service expose feature across client and management.
  #5411
• Refactored expose feature by moving business logic from gRPC to manager layer.
  #5435

Proxy Improvements

• Added access log cleanup.
  #5376
• Implemented access log sorting.
  #5378
• Sent proxy updates on account deletion.
  #5375
• Added pre-shared key (PSK) support to proxy.
  #5377

Management Improvements

• Refactored network map component assembly.
  #5193
• Added custom domain counts and service metrics to self-hosted metrics.
  #5414

Self-Hosted Enhancements

• Added support for activity store engine in the combined server.
  #5406
• Added Embedded IdP metrics for improved observability.
  #5407

Full Changelog: v0.65.3...v0.66.0

v0.65.3

Release Notes for v0.65.3

🛡️ Security Fix: Race Condition in Role Update Validation

What was affected

A race condition in the user role validation logic could allow permission checks to succeed based on stale role data. Under very specific timing conditions, concurrent requests during a role change (e.g., while an admin was being demoted to user) could bypass role validation when changing another users role.

Exploit Potential

If an administrator account was being demoted while simultaneously performing acocunt ownership transfer actions, a race window existed where the system could treat the user as having elevated permissions to change owners.

In a coordinated scenario involving two administrator accounts, this could potentially allow privilege escalation — for example, promoting a user to Owner during the demotion window.

Conditions Required

Exploitation required:

• Two administrator accounts.
• One administrator being actively demoted.
• Concurrent ownership transfer requests executed precisely during the demotion process.
• Precise timing to trigger the race condition.

This issue required intentional coordination and timing, making it unlikely to occur accidentally and will require access to two admin accounts.

What's New

Client & Mobile Improvements

• Batched macOS DNS domains to avoid truncation issues.
  #5368
• Ensured route settlement on iOS before handling DNS responses.
  #5360
• Added logging of lock acquisition time in message handling for improved observability.
  #5393

Relay Improvements

• Reduced QUIC initial packet size to 1280 bytes (IPv6 minimum MTU) for better compatibility.
  #5374

Management Improvements

• Fixed possible race condition on user role change.
  #5395
• Added docker login step in management tests.
  #5323

Self-Hosted Updates

• Added a migration script for upgrading from pre-v0.65.0 to post-v0.65.0 combined setup.
  #5350
• Removed unused configuration example from self-hosted setup.
  #5383

Miscellaneous

• Updated timestamp format to include milliseconds.
  #5387

Full Changelog: v0.65.2...v0.65.3

v0.65.2

Release Notes for v0.65.2

What's New

Client Improvements

• Optimized Windows DNS performance with domain batching and batch mode.
  #5264
• Reset WireGuard endpoint on ICE session changes during relay fallback.
  #5283
• Refactored WireGuard endpoint setup with role-based proxy activation.
  #5277
• Exported lazy connection environment variables for mobile clients.
  #5310
• Ignored false positive lint alert in client code.
  #5370

Proxy & Reverse Proxy

• Added listener-side Proxy Protocol support and enabled it in Traefik.
  #5332
• Added WebSocket support to the proxy.
  #5312
• Removed unused OIDC config flags from proxy configuration.
  #5369
• Infrastructure updates for proxy components.
  #5365

Management Improvements

• Fixed UTC difference issue in peer “last seen” status.
  #5348
• Ensured Management starts even if external IdP is down.
  #5367
• Added flag to disable the legacy gRPC endpoint.
  #5372

Documentation & Misc

• Added additional proxy domain instructions.
  #5328
• Added an extra CNAME configuration example.
  #5341

Full Changelog: v0.65.1...v0.65.2

v0.65.1

What's Changed

• [misc] Fix reverse proxy getting started messaging by @braginini in #5317
• [management] Move service reload outside transaction in account settings update by @bcmmbaga in #5325

Full Changelog: v0.65.0...v0.65.1

v0.65.0

Release Notes for v0.65.0

What's New

🔀 Reverse Proxy

NetBird now includes a built-in reverse proxy in the management server, enabling proxied access to backend services through your NetBird network. Allowing you to expose your services to the public with the option to secure them with SSO, PINs, or passwords.

No VPN client required for end users. Just point a custom domain at your NetBird server, configure the proxy in the dashboard, and your internal services are securely accessible from any browser. Think of it as a self-hosted alternative to Cloudflare Tunnels, but without the MITM and fully under your control.

Key features:

• Custom domains - Map your own domains to internal services and let NetBird handle TLS and routing via CNAME verification
• Built-in authentication - Protect exposed services with SSO (via your configured IdP), PIN codes, passwords, or magic links directly from the dashboard
• Multiple targets - Route traffic to one or more backend peers or resources with optional path-based routing
• Access logs - Monitor who's accessing your proxied services with built-in logging
• Proxy settings - Fine-tune behavior with options like host header passthrough and redirect rewriting

Add a Service

Expose any internal service by selecting a subdomain and adding one or more backend targets. Each target points to a peer or resource on your network.

Custom Domains

Bring your own domain by adding a CNAME record pointing to your NetBird proxy cluster. NetBird handles TLS certificate provisioning automatically.

Authentication

Secure your exposed services with multiple authentication methods. Enable one or combine several for layered protection.

Settings

Fine-tune proxy behavior with options like passing the original Host header to your backend or rewriting redirect URLs to use the public domain.

Learn more:

• Reverse Proxy Overview
• Custom Domains
• Authentication

NetBird cloud support is coming soon, with hosted reverse proxy nodes.

🏗️ Self-Hosted Improvements

• Added combined NetBird server binary for simplified self-hosted deployments, reducing the number of containers needed to run NetBird.
  #5232

🔒 Management Improvements

• Enforced access control on accessible peers, ensuring proper authorization checks when querying the accessible peers endpoint.
  #5301
• Added cloud API spec to the public OpenAPI definition with REST client support.
  #5222

🖥️ Client Improvements

• Added early message buffer for the relay client, preventing message loss during connection establishment.
  #5282
• Refactored relay connection container for improved reliability and code maintainability.
  #5271

What's Changed

• [misc] Update sign pipeline version by @mlsmaycon in #5296
• [self-hosted] add netbird server by @braginini in #5232
• [management] Enforce access control on accessible peers by @bcmmbaga in #5301
• [misc] Add cloud api spec to public open api with rest client by @bcmmbaga in #5222
• [client] Add early message buffer for relay client by @pappz in #5282
• [client] Refactor/relay conn container by @pappz in #5271
• [management, reverse proxy] Add reverse proxy feature by @pascal-fischer in #5291

Full Changelog: v0.64.6...v0.65.0

v0.64.6

Release Notes for v0.64.6

What's New

🚨 Security Fix
Security: Fixed account impersonation validation in management API

Fixed a vulnerability in the management server's authentication middleware where the ?account= query parameter could be used to impersonate arbitrary accounts without proper validation when getting a list of accessible peers. It requires the attacker to have prior knowledge of the target accounts' and peer IDs.

The fix adds explicit validation via IsValidChildAccount() before allowing account switching. Account impersonation is now only permitted when the target account is confirmed as a legitimate child account of the
requesting user's parent account.

Affected component: Management server HTTP middleware (auth_middleware.go) and /api/peers/<peer_id>/accessible-peers endpoint

Severity: High — an authenticated user could potentially access or act on behalf of accounts they should not have access to by passing an arbitrary account parameter and fetching the list of accessible peers.

Recommendation: All self-hosted deployments should upgrade to this version.

Client Improvements

• Added missing BSD flags to the debug bundle.
  #5254
• Cached the result of wgInterface.ToInterface() using sync.Once for better performance.
  #5256
• Fixed nil pointer panic in the ICE agent during sleep/wake cycles.
  #5261
• Always log DNS forwarder responses for improved troubleshooting.
  #5262
• Fixed netstack detection and added a WireGuard port option.
  #5251
• Corrected wrong URL logging for DefaultAdminURL.
  #5252
• Added timing measurements to handleSync for better observability.
  #5228
• Fixed duplicate firewall rules in USP filter.
  #5269
• Added environment variable to skip DNS probing when needed.
  #5270
• Fixed race condition and ensured correct message ordering in Relay.
  #5265
• Ensured login is checked in foreground mode when required.
  #5295
• Fixed multiple panics in device and engine code.
  #5287
• Cleaned up stale nftables entries without handle.
  #5272

Management Improvements

• Fixed incorrectly setting disconnected status for connected peers.
  #5247
• Added gRPC debounce for message types to reduce noise.
  #5239
• Added validation of stream start time for connecting peers.
  #5267
• Fixed ischild check logic.
  #5279

New Contributors

• @eyJhb made their first contribution in #5252

Full Changelog: v0.64.5...v0.64.6

v0.64.5

What's Changed

🚨 Security Fix

• Management API authorization bypass (CWE-639) — A flaw in the management API auth middleware allowed an authenticated user to bypass account-membership checks and RBAC enforcement via a manipulated request parameter. In multi-account deployments this could enable cross-account access; in single-account deployments it
  could relax per-user authorization checks. All self-hosted users should upgrade immediately. Fix by @pascal-fischer in
  #5246

Other Changes

• Add selfhosting video by @braginini in #5235

Full Changelog: v0.64.4...v0.64.5

---

Key changes from your draft:

• Moved the CVE fix into its own Security Fix section so it stands out
• Added a plain-English description of the impact without revealing the exploit mechanism (no mention of ?account, IsChild, or specific code paths)
• Added the "All self-hosted users should upgrade immediately" call to action
• Kept the PR attribution to @pascal-fischer
• You can add [CVE-YYYY-XXXXX] once the CVE ID is assigned

v0.64.4

What's Changed

• [client] Add macOS default resolvers as fallback by @lixmal in #5201
• [client] Add block inbound option to the embed client by @lixmal in #5215
• [management] Disable local users for a smooth single-idp mode by @braginini in #5226
  https://docs.netbird.io/selfhosted/identity-providers/disable-local-authentication
• [management] disable sync lim by @crn4 in #5233
• [management] run cancelPeerRoutines in goroutine in sync by @crn4 in #5234

Full Changelog: v0.64.3...v0.64.4

v0.64.3

Release Notes for v0.64.3

What's New

Client Improvements

• Removed redundant square bracket trimming in USP endpoint parsing.
  #5197
• Refactored and optimized raw socket header handling for better performance.
  #5174
• Ensured NetBird stops on firewall initialization failure to avoid undefined states.
  #5208
• Fixed WireGuard watcher missing the initial handshake.
  #5213

Management Improvements

• Fixed ephemeral peers not being removed correctly.
  #5203
• Fixed skipping ephemeral peers on deletion.
  #5206
• Streamlined domain validation logic.
  #5211

Full Changelog: v0.64.2...v0.64.3

v0.64.2

Release Notes for v0.64.2

What's New

Client Improvements

• Consolidated authentication logic to improve maintainability and consistency.
  #5010
• Added IPv6 support to the UDP WireGuard proxy.
  #5169
• Fixed a flaky JWT SSH test to improve CI stability.
  #5181
• Updated Fyne UI and added retry handling to the exit menu.
  #5187
• Prevented eBPF traffic from being tracked in conntrack.
  #5166
• Added support for non-PTY, no-command interactive SSH sessions.
  #5093

Management & Identity

• Fixed validator warning messages to improve clarity.
  #5168
• Improved peer deletion error handling.
  #5188
• Included default groups claim in the CLI audience.
  #5186
• Added user invite link support for the embedded IdP.
  #5157

Full Changelog: v0.64.1...v0.64.2