forgejo/release-notes/11515.md

• fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the S256 algorithm
• fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant
• fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own
• fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users
• fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references
• fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR
• fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects