This security patch fixes a regression appeared in the previous version 1.7.25 that makes Dashboard UI available for remote requests in the default configuration, e.g. when no authentication filter specified. Please note that when custom authentication filter is defined as recommended in the documentation, everything works as expected, but upgrade is recommended in any case. Please read the GHSA-7rq6-7gv8-c37h security advisory for details.

CVE ID

CVE-2021-41238

Affected Packages

Hangfire.Core = 1.7.25 (only)

Affected Platforms

All, including .NET Core, .NET Framework, Mono of any version

Hangfire.Core

• Security – Fix “Dashboard UI accessible from outside by default since 1.7.25” regression.