Vishnu Narayanan 7c16071fc7 fix: Support allowlisted private API inbox webhooks (#14548) ... Self-hosted installations can now opt SafeFetch into private-network access after SSRF hardening. The default remains unchanged: private IP destinations are blocked unless the instance owner explicitly enables private-network requests with `SAFE_FETCH_ALLOW_PRIVATE_NETWORK=true`. Fixes https://linear.app/chatwoot/issue/CW-7131 Fixes https://github.com/chatwoot/chatwoot/issues/14489 Fixes https://github.com/chatwoot/chatwoot/issues/14494 ## How to use For self-hosted installations that need API inbox webhooks, or other SafeFetch-backed requests, to call trusted private services, enable private-network access with a single environment variable: ```bash SAFE_FETCH_ALLOW_PRIVATE_NETWORK=true ``` This is disabled by default. Enable it only when the instance owner controls the deployment network and trusts the configured URLs.		2026-05-26 17:03:19 +05:30
..
actions	fix: Skip redundant contact saves in ContactIdentifyAction (#13778)	2026-03-11 21:40:38 -07:00
assets	fix: standardize contact company field on company_name (#14099)	2026-04-27 18:43:26 +05:30
builders	feat: enable quoted reply for everyone (#14469)	2026-05-15 10:59:48 -07:00
channels	fix: Move contact events to account stream rather than individual user stream (#11082)	2025-03-13 17:46:48 -07:00
config	feat: add GuideJar embed support in HC (#13944)	2026-03-30 14:19:02 +05:30
configs	chore: Enable the new Rubocop rules (#7122)	2023-05-19 14:37:10 +05:30
controllers	feat: support bulk label removal (#14534)	2026-05-26 15:23:51 +05:30
dispatchers	Non blocking event dispatch (#652)	2020-03-29 19:18:30 +05:30
drops	feat: Add the support for custom attributes in message variables (#8511)	2023-12-08 14:13:35 -08:00
enterprise	fix: firecrawl long external link (#14566)	2026-05-26 14:07:07 +05:30
factories	feat: Ability to specify the authentication type for imap server (#12306)	2026-05-08 16:40:15 +05:30
finders	feat(rollup): report builder abstraction [2/3] (#13798)	2026-04-20 11:15:48 +05:30
fixtures	fix(mailbox): render inline images without Content-Disposition (#11949)	2026-05-06 18:56:31 +05:30
helpers	chore: Refactor UTM params to stay compliant with standards (#12312)	2025-08-29 11:46:52 -07:00
integration	Fix url in emails, add frontendURL helper (#19)	2019-08-25 19:59:28 +05:30
jobs	feat: add timeout for imap email job and skip problematic emails (#11981)	2026-05-25 15:16:52 +05:30
lib	fix: Support allowlisted private API inbox webhooks (#14548)	2026-05-26 17:03:19 +05:30
listeners	feat: Unread Count: added api, store refresher, invalidation and events (2/3)[CW-6851] (#14369)	2026-05-20 17:36:09 +05:30
mailboxes	fix(mailbox): render inline images without Content-Disposition (#11949)	2026-05-06 18:56:31 +05:30
mailers	fix: validate OpenAI hook credentials (#14068)	2026-05-18 14:08:57 +05:30
models	feat: Unread Count: added api, store refresher, invalidation and events (2/3)[CW-6851] (#14369)	2026-05-20 17:36:09 +05:30
policies	chore: Enforce custom role permissions on conversation access (#12583)	2025-10-22 20:23:37 -07:00
presenters	fix: index email subject from conversation for outbound messages (#14122)	2026-04-22 20:36:35 +05:30
requests/api/v1	feat: allow disabling 2FA with a backup code (#14102)	2026-04-28 10:09:41 +07:00
services	feat: support bulk label removal (#14534)	2026-05-26 15:23:51 +05:30
support	feat: base layer for unread counts (store, counter and builder) (1/3)[CW-6851] (#14368)	2026-05-20 14:26:21 +05:30
swagger	feat: validate OpenAPI spec using Skooma (#13623)	2026-03-10 18:33:55 -07:00
coverage_helper.rb	ci(circleci): switch coverage reporting to Qlty orb (#12337)	2025-08-31 00:39:34 +05:30
rails_helper.rb	feat: base layer for unread counts (store, counter and builder) (1/3)[CW-6851] (#14368)	2026-05-20 14:26:21 +05:30
spec_helper.rb	ci(circleci): switch coverage reporting to Qlty orb (#12337)	2025-08-31 00:39:34 +05:30
test_helper.rb	ci(circleci): switch coverage reporting to Qlty orb (#12337)	2025-08-31 00:39:34 +05:30