Release notes – Lobster Data 4.6.24
Release date: 2026-07-09
Bug fixes
LDP-7684
Increased security in the DataWizard OAuth2 endpoint. This closes a flexjson deserialization vulnerability.
LDP-7645
Added a configurable whitelist property for the OpenAPI viewer: hub.datawizard.api.viewer.whitelist. This property restricts which endpoints the viewer can fetch. It mitigates unauthenticated Server-Side Request Forgery (SSRF).
Improvements
LDP-7828
MessageService: Added further filtering of data received from peers. This prevents deserialization attacks at that level.
Security
LDP-7625
By default, LDP disables endpoints that expose API specifications, version details, host details, and stack traces: /dw/spi/oas, /_data/_inf, /dw/cloud. You can re-enable each endpoint individually using system properties. Contact support@lobster.de for access to these APIs.