- fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the `S256` algorithm
- fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant
- fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own
- fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users
- fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references
- fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR
- fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects