tag:github.com,2008:https://github.com/binwiederhier/ntfy/releases

Release notes from ntfy

2026-06-04T18:44:15Z tag:github.com,2008:Repository/420503947/v2.24.0 2026-06-05T00:40:31Z

v2.24.0

<p>The main feature for this release is an in-memory ACL cache (<code>auth-access-cache</code>) that can help bring down the read load on the production database. The topic authorization queries are consistently the highest ranking queries on the database, so this will help quite a bit. The current database load is quite low, but I'm expecting it to increase as more users join and use ntfy.</p> <p><strong>Security issues:</strong></p> <ul> <li>Fix case-insensitive ACL topic matching on SQLite: an access control rule for <code>secret</code> no longer also matches a request for <code>SECRET</code>. SQLite's <code>LIKE</code> is case-insensitive for ASCII by default. PostgreSQL was unaffected. It's honestly incredible that this issue remained undetected for so long, especially while ntfy.sh was running on SQLite (it now runs on PostgreSQL).</li> </ul> <p><strong>Features:</strong></p> <ul> <li>Add opt-in in-memory ACL cache (<code>auth-access-cache</code>) that serves topic authorization without a database round-trip; off by default, intended for high-volume servers</li> <li>Add <code>ntfy --version</code> flag to the CLI (<a href="https://github.com/binwiederhier/ntfy/issues/1722" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1722/hovercard">#1722</a>, <a href="https://github.com/binwiederhier/ntfy/pull/1748" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1748/hovercard">#1748</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/sskender/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/sskender">@sskender</a> for the contribution, and <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Saucy9607/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/Saucy9607">@Saucy9607</a> for reporting)</li> </ul> <p><strong>Bug fixes + maintenance:</strong></p> <ul> <li>Extend account token automatically from the PWA service worker, so installed PWAs don't get logged out (<a href="https://github.com/binwiederhier/ntfy/pull/1669" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1669/hovercard">#1669</a>, <a href="https://github.com/binwiederhier/ntfy/issues/1203" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1203/hovercard">#1203</a>, <a href="https://github.com/binwiederhier/ntfy/issues/1533" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1533/hovercard">#1533</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/nihalgonsalves/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/nihalgonsalves">@nihalgonsalves</a> for the contribution)</li> <li>Fix <code>rel</code> attribute on auto-linked notification URLs so <code>noreferrer</code>/<code>noopener</code> are actually applied (<a href="https://github.com/binwiederhier/ntfy/pull/1720" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1720/hovercard">#1720</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/dmitrylyzo/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/dmitrylyzo">@dmitrylyzo</a> for the contribution)</li> <li>Add systemd sandboxing/hardening to the <code>ntfy.service</code> unit (<a href="https://github.com/binwiederhier/ntfy/pull/1467" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1467/hovercard">#1467</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Velocifyer/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/Velocifyer">@Velocifyer</a> for the contribution)</li> <li>Fix <code>cmd</code> package build on macOS (darwin) so the server compiles from source (<a href="https://github.com/binwiederhier/ntfy/issues/1631" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1631/hovercard">#1631</a>, <a href="https://github.com/binwiederhier/ntfy/pull/1696" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1696/hovercard">#1696</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/ShipItAndPray/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/ShipItAndPray">@ShipItAndPray</a> for the contribution, and <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/XYenon/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/XYenon">@XYenon</a> for reporting)</li> </ul> github-actions[bot] tag:github.com,2008:Repository/420503947/v2.23.0 2026-05-18T01:28:55Z

v2.23.0

<p><strong>Features:</strong></p> <ul> <li>Add per-visitor rate limit on new topic creations (<code>visitor-topic-creation-limit-burst</code> / <code>visitor-topic-creation-limit-replenish</code>, defaults 100 burst / 1m replenish) to mitigate topic-enumeration / squatting attacks that inflate the in-memory topic map</li> </ul> <p><strong>Bug fixes + maintenance:</strong></p> <ul> <li>Remove <code>stacktrace-js</code>, <code>stacktrace-gps</code>, <code>humanize-duration</code>, and <code>js-base64</code> from the web app to reduce dependency and security footprint</li> <li>Restrict the publish dialog's local file preview to safe image types (png/jpg/gif/webp) to prevent same-origin script execution from blob URLs when previewing a crafted SVG (<a href="https://github.com/binwiederhier/ntfy/security/advisories/GHSA-j8hr-p342-xrmh">GHSA-j8hr-p342-xrmh</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Venukamatchi/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/Venukamatchi">@Venukamatchi</a> for reporting)</li> </ul> github-actions[bot] tag:github.com,2008:Repository/420503947/v2.22.0 2026-04-21T15:17:51Z

v2.22.0

<p><strong>Bug fixes + maintenance:</strong></p> <ul> <li>Tighten web push endpoint allow-list regex to prevent SSRF via unanchored pattern matching (<a href="https://github.com/binwiederhier/ntfy/security/advisories/GHSA-w9hq-5jg7-q4j7">GHSA-w9hq-5jg7-q4j7</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/MightyNawaf/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/MightyNawaf">@MightyNawaf</a> for reporting)</li> <li>Fix web app not allowing access tokens to be changed to never expire (<a href="https://github.com/binwiederhier/ntfy/issues/1693" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1693/hovercard">#1693</a>/<a href="https://github.com/binwiederhier/ntfy/pull/1694" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1694/hovercard">#1694</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/lastsamurai26/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/lastsamurai26">@lastsamurai26</a> for reporting and to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/ShipItAndPray/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/ShipItAndPray">@ShipItAndPray</a> for fixing)</li> <li>Fix web app crashing on account page for tokens without a last access time (<a href="https://github.com/binwiederhier/ntfy/issues/1651" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1651/hovercard">#1651</a>, <a href="https://github.com/binwiederhier/ntfy/issues/1684" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1684/hovercard">#1684</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Pulsar7/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/Pulsar7">@Pulsar7</a> and <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/rzhli/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/rzhli">@rzhli</a> for reporting)</li> </ul> github-actions[bot] tag:github.com,2008:Repository/420503947/v2.21.0 2026-03-30T21:02:43Z

v2.21.0

<p>This release adds the ability to verify email addresses using the <code>smtp-sender-verify</code> flag. This is a change that is required because ntfy.sh was used to send unsolicited emails and the AWS SES account was suspended. Going forward, ntfy.sh won't be able to send emails unless the email address was verified ahead of time.</p> <p><strong>Features:</strong></p> <ul> <li>Add verified email recipients feature with <code>smtp-sender-verify</code> config flag, allowing server admins to require email<br> address verification before sending email notifications (<a href="https://github.com/binwiederhier/ntfy/pull/1681" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1681/hovercard">#1681</a>)</li> </ul> github-actions[bot] tag:github.com,2008:Repository/420503947/v2.20.1 2026-03-27T18:39:42Z

v2.20.1

<p>This is a small bugfix release that only affects high volume S3 backends that struggle with HTTP/2.</p> <p><strong>Bug fixes + maintenance:</strong></p> <ul> <li><a href="https://docs.ntfy.sh/config/#attachments" rel="nofollow">Attachments</a>: Add <code>disable_http2=true</code> S3 URL option to work around HTTP/2 stream errors with DigitalOcean Spaces and other S3-compatible providers (<a href="https://github.com/binwiederhier/ntfy/issues/1678" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1678/hovercard">#1678</a>/<a href="https://github.com/binwiederhier/ntfy/pull/1679" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1679/hovercard">#1679</a>)</li> </ul> github-actions[bot] tag:github.com,2008:Repository/420503947/v2.20.0 2026-03-26T17:50:25Z

v2.20.0

<p>This release is another step towards making it possible to help scale ntfy up and out 🔥! With this release, you can store attachments in an S3-compatible object store as an alterative to the directory. See <a href="https://docs.ntfy.sh/config/#attachments" rel="nofollow">attachment store</a> for details.</p> <blockquote> <p><g-emoji class="g-emoji" alias="warning">⚠️</g-emoji> <strong>Important note:</strong> With this release, ntfy will take full control over the attachment directory or S3 bucket. Files/objects in the configured <code>attachment-cache-dir</code> that match the message ID format (12 chars, matching <code>^[A-Za-z0-9]{12}$</code>), and have no entries in the message database will be deleted. <strong>Do not use a directory or S3 bucket as <code>attachment-cache-dir</code> that is also used for something else.</strong></p> <p>This is a small behavioral change that was necessary because the old logic often left attachments behind and would not clean them up. Unless you have re-used the attachment directory for anything else (which is hopefully never done), this should not affect you at all.</p> </blockquote> <p><strong>Features:</strong></p> <ul> <li>Add S3-compatible object storage as an alternative <a href="https://docs.ntfy.sh/config/#attachments" rel="nofollow">attachment store</a> via <code>attachment-cache-dir</code> config option (<a href="https://github.com/binwiederhier/ntfy/pull/1656" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1656/hovercard">#1656</a>/<a href="https://github.com/binwiederhier/ntfy/pull/1672" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1672/hovercard">#1672</a>)</li> </ul> <p><strong>Bug fixes + maintenance:</strong></p> <ul> <li>Reject invalid e-mail addresses (e.g. multiple comma-separated recipients) with HTTP 400</li> <li>Add OpenRC init service file (<a href="https://github.com/binwiederhier/ntfy/pull/1650" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1650/hovercard">#1650</a>, thanks to <a href="https://github.com/ageru">@ageru</a> for the contribution)</li> </ul> github-actions[bot] tag:github.com,2008:Repository/420503947/v2.19.2 2026-03-17T00:48:34Z

v2.19.2

<p>This is another small bugfix release for PostgreSQL, avoiding races between primary and read replica, as well as to further reduce primary load.</p> <p><strong>Bug fixes + maintenance:</strong></p> <ul> <li>Fix race condition in web push subscription causing FK constraint violation when concurrent requests hit the same endpoint</li> <li>Route authorization query to read-only database replica to reduce primary database load</li> </ul> github-actions[bot] tag:github.com,2008:Repository/420503947/v2.19.1 2026-03-16T01:26:46Z

v2.19.1

<p>This is a bugfix release to avoid PostgreSQL insert failures due to invalid UTF-8 messages. It also fixes <code>database-url</code> validation incorrectly rejecting <code>postgresql://</code> connection strings.</p> <p><strong>Bug fixes + maintenance:</strong></p> <ul> <li>Fix invalid UTF-8 in HTTP headers (e.g. Latin-1 encoded text) causing PostgreSQL insert failures and dropping entire message batches</li> <li>Fix <code>database-url</code> validation rejecting <code>postgresql://</code> connection strings (<a href="https://github.com/binwiederhier/ntfy/issues/1657" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1657/hovercard">#1657</a>/<a href="https://github.com/binwiederhier/ntfy/pull/1658" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1658/hovercard">#1658</a>)</li> </ul> github-actions[bot] tag:github.com,2008:Repository/420503947/v2.19.0 2026-03-15T17:18:03Z

v2.19.0

<p>This is a fast-follow release that enables Postgres read replica support.</p> <p>To offload read-heavy queries from the primary database, you can optionally configure one or more read replicas using the <code>database-replica-urls</code> option. When configured, non-critical read-only queries (e.g. fetching messages, checking access permissions, etc) are distributed across the replicas using round-robin, while all writes and correctness-critical reads continue to go to the primary. If a replica becomes unhealthy, ntfy automatically falls back to the primary until the replica recovers.</p> <p><strong>Features:</strong></p> <ul> <li>Support <a href="https://docs.ntfy.sh/config/#postgresql-experimental" rel="nofollow">PostgreSQL read replicas</a> for offloading non-critical read queries via <code>database-replica-urls</code> config option (<a href="https://github.com/binwiederhier/ntfy/pull/1648" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1648/hovercard">#1648</a>)</li> <li>Add interactive <a href="https://docs.ntfy.sh/config/#config-generator" rel="nofollow">config generator</a> to the documentation to help create server configuration files (<a href="https://github.com/binwiederhier/ntfy/pull/1654" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1654/hovercard">#1654</a>)</li> </ul> <p><strong>Bug fixes + maintenance:</strong></p> <ul> <li>Web: Throttle notification sound in web app to play at most once every 2 seconds (similar to <a href="https://github.com/binwiederhier/ntfy/issues/1550" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1550/hovercard">#1550</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/jlaffaye/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/jlaffaye">@jlaffaye</a> for reporting)</li> <li>Web: Add hover tooltips to icon buttons in web app account and preferences pages (<a href="https://github.com/binwiederhier/ntfy/issues/1565" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1565/hovercard">#1565</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/jermanuts/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/jermanuts">@jermanuts</a> for reporting)</li> </ul> github-actions[bot] tag:github.com,2008:Repository/420503947/v2.18.0 2026-03-08T18:22:19Z

v2.18.0

<p>This is the biggest release I've ever done on the server. It's 14,997 added lines of code, and 10,202 lines removed, all from one <a href="https://github.com/binwiederhier/ntfy/pull/1619" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1619/hovercard">pull request</a> that adds <a href="https://docs.ntfy.sh/config/#postgresql-experimental" rel="nofollow">PostgreSQL support</a>.</p> <p>The code was written by Cursor and Claude, but reviewed and heavily tested over 2-3 weeks by me. I created comparison documents, went through all queries multiple times and reviewed the logic over and over again. I also did load tests and manual regression tests, which took lots of evenings.</p> <p>ntfy.sh was successfully upgraded to 2.18.0 (though not with Postgres backend yet, as per the <a href="https://github.com/binwiederhier/ntfy/issues/1114#issuecomment-3991245185" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1114/hovercard">rollout plan</a>).</p> <p>I'm kindly asking the community to test the Postgres support and report back to me if things are working (or not working). There is a <a href="https://github.com/binwiederhier/ntfy/tree/main/tools/pgimport">one-off migration tool</a> (entirely written by AI) that you can use to migrate.</p> <p><strong>Features:</strong></p> <ul> <li>Add experimental <a href="https://docs.ntfy.sh/config/#postgresql-experimental" rel="nofollow">PostgreSQL support</a> as an alternative database backend (message cache, user manager, web push subscriptions) via <code>database-url</code> config option (<a href="https://github.com/binwiederhier/ntfy/issues/1114" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/1114/hovercard">#1114</a>/<a href="https://github.com/binwiederhier/ntfy/pull/1619" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1619/hovercard">#1619</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/brettinternet/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/brettinternet">@brettinternet</a> for reporting)</li> </ul> <p><strong>Bug fixes + maintenance:</strong></p> <ul> <li>Preserve <code><br></code> line breaks in HTML-only emails received via SMTP (<a href="https://github.com/binwiederhier/ntfy/issues/690" data-hovercard-type="issue" data-hovercard-url="/binwiederhier/ntfy/issues/690/hovercard">#690</a>, <a href="https://github.com/binwiederhier/ntfy/pull/1620" data-hovercard-type="pull_request" data-hovercard-url="/binwiederhier/ntfy/pull/1620/hovercard">#1620</a>, thanks to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/uzkikh/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/uzkikh">@uzkikh</a> for the fix and to <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/teastrainer/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/teastrainer">@teastrainer</a> for reporting)</li> </ul> github-actions[bot]