Action Required: Re-check your Notification preferences β
A bug introduced during the 4.0 multi-source migration was silently re-enabling several push notification categories β including Notify on Traceroute β for users whose preferences were carried over from the legacy single-source schema. If your traceroute (or new-node, MQTT, emoji) notifications have been firing despite the toggles being off, this is why.
After upgrading to 4.1.1, please open Notifications β review every toggle on every source. Re-saving once per source will write a fresh per-source row and stop relying on the legacy fallback path entirely. See #2867 for the full root-cause analysis.
Security: CVE-2026-31431 ("Copy Fail") posture β
We've published our position on the recent Linux kernel privilege-escalation CVE-2026-31431. MeshMonitor itself is not directly susceptible β the codebase does not invoke the kernel crypto API (AF_ALG/algif) β but unpatched host kernels remain exploitable by any local code execution. The Helm chart now defaults to seccompProfile.type: RuntimeDefault, which blocks the affected syscall path under most strict profiles, and SECURITY.md documents the recommended container hardening posture.
Operators on shared or multi-tenant hosts should read the full advisory and update their kernels: Discussion #2861.
Other fixes in 4.1.1 β
- Virtual Node MQTT uplink β the primary channel was sent to mqtt-proxy clients with an empty name, causing the proxy to drop every uplink with
uplink_enabled=False. The VN now mirrors the firmware fallback and synthesizes the channel name from the LoRa modem preset (e.g.MediumFast). #2866