From 0e577ed6c97cb5648adb43402abcc7dd52a2feed Mon Sep 17 00:00:00 2001
From: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Date: Tue, 12 May 2026 09:10:46 +0200
Subject: [PATCH] chore(release-notes): Forgejo v15.0.2 (#12536)

https://codeberg.org/forgejo/forgejo/milestone/84479
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12536
Reviewed-by: Beowulf <beowulf@beocode.eu>
---
 release-notes-published/15.0.2.md | 33 +++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 release-notes-published/15.0.2.md

diff --git a/release-notes-published/15.0.2.md b/release-notes-published/15.0.2.md
new file mode 100644
index 0000000000..c5c8c14648
--- /dev/null
+++ b/release-notes-published/15.0.2.md
@@ -0,0 +1,33 @@
+
+
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Security bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 0 --><!--description LSBmaXg6IHByZXZlbnQgZ2l0IHdyaXRlIHRvIHdpa2kgcmVwbyBmcm9tIHVuYXV0aG9yaXplZCB1c2VyIHZpYSBnaXQgSFRUUA==-->fix: prevent git write to wiki repo from unauthorized user via git HTTP<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 1 --><!--description LSBmaXg6IHByZXZlbnQgTEZTIGF1dGhvcml6YXRpb24gdG9rZW4gZnJvbSBiZWluZyB1c2VkIGZvciByZWFkL3dyaXRlIGFjY2VzcyBhZnRlciB1c2VyJ3MgYWNjZXNzIGlzIHJlc3RyaWN0ZWQgZnJvbSBGb3JnZWpv-->fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 2 --><!--description LSBmaXg6IHByZXZlbnQgc2NvcGVkIEFQSSBhY2Nlc3MgKE9BdXRoIHRva2VucywgQWNjZXNzIHRva2VucykgZnJvbSBhY2Nlc3NpbmcgcmVzb3VyY2VzIGJleW9uZCB0aGVpciBwZXJtaXR0ZWQgc2NvcGUgdmlhIG5vbi1BUEkgZW5kcG9pbnRzIChlLmcuIC91c2VyL3JlcG8vcmF3Ly4uLik=-->fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 3 --><!--description LSBmaXg6IGltcGxlbWVudGluZyBtaXNzaW5nIE9BdXRoIHZhbGlkYXRpb24gY2hlY2tzLCBpbXByb3ZlIHByb3RlY3Rpb25zIGFnYWluc3QgcmFjZSBjb25kaXRpb25z-->fix: implementing missing OAuth validation checks, improve protections against race conditions<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 4 --><!--description LSBmaXg6IHByZXZlbnQgT0F1dGggcmVkaXJlY3QgVVJJIHNwb29maW5nIHZpYSBub24tYXNjaWkgY2FzZSBjb2xsaXNpb24=-->fix: prevent OAuth redirect URI spoofing via non-ascii case collision<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 5 --><!--description LSBmaXg6IHN0cmVuZ3RoZW4gQWN0aW9ucyBBcnRpZmFjdCBWNCBzaWduYXR1cmUgYWxnb3JpdGhtIGFnYWluc3Qgc3Bvb2ZpbmcgYXR0YWNrcw==-->fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks<!--description-->
+- User Interface bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12366) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12492)): <!--number 12492 --><!--line 0 --><!--description V2hlbiB0aGUgYXV0aG9yIG9mIGEgcHVsbCByZXF1ZXN0IGlzIFtkZW5pZWQgdGhlIHJpZ2h0IHRvIHJ1biBBY3Rpb25zXShodHRwczovL2Zvcmdlam8ub3JnL2RvY3MvbmV4dC91c2VyL2FjdGlvbnMvc2VjdXJpdHktcHVsbC1yZXF1ZXN0LykgYnkgY2xpY2tpbmcgb24gdGhlICJEZW55IiBidXR0b24gb24gdGhlIHB1bGwgcmVxdWVzdCB0cnVzdCBtYW5hZ2VtZW50IHBhbmVsLCB0aGUgd29ya2Zsb3cgcnVucyBjcmVhdGVkIGZvciBhbGwgY29tbWl0cyBwdXNoZWQgdG8gdGhlIHB1bGwgcmVxdWVzdCBhcmUgY2FuY2VsbGVkLiBCZWZvcmUgdGhhdCwgcnVucyB0aGF0IHdlcmUgYXV0b21hdGljYWxseSBjYW5jZWxsZWQgYmVjYXVzZSBhIG5ld2VyIGNvbW1pdCB3YXMgcHVzaGVkIHRvIHRoZSBwdWxsIHJlcXVlc3QgW3dlcmUgc3R1Y2sgaW4gYSBzdGF0ZSB3YWl0aW5nIGZvciBhcHByb3ZhbF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2lzc3Vlcy8xMjM1MCku-->When the author of a pull request is [denied the right to run Actions](https://forgejo.org/docs/next/user/actions/security-pull-request/) by clicking on the "Deny" button on the pull request trust management panel, the workflow runs created for all commits pushed to the pull request are cancelled. Before that, runs that were automatically cancelled because a newer commit was pushed to the pull request [were stuck in a state waiting for approval](https://codeberg.org/forgejo/forgejo/issues/12350).<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12447) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12461)): <!--number 12461 --><!--line 0 --><!--description Zml4OiBwYWdpbmF0ZSB0ZWFtIG1lbWJlcnMgbGlzdA==-->fix: paginate team members list<!--description-->
+- Bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12302) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12470)): <!--number 12470 --><!--line 0 --><!--description V2hlbiBhIHJldmlldyB3YXMgY3JlYXRlZCBhcyBwZW5kaW5nIGFuZCB0aGVuIHN1Ym1pdHRlZCwgdGhlIHJldmlldyByZXF1ZXN0IHdhc24ndCBkZWxldGVkLiBUaGVzZSByZXZpZXcgcmVxdWVzdHMgY291bGRuJ3QgYmUgcmVtb3ZlZCwgYXMgdGhlIG5vdyBleGlzdGluZyByZXZpZXcgc2hhZG93ZWQgdGhlIHJldmlldyByZXF1ZXN0LiBOb3csIHJldmlldyByZXF1ZXN0cyBnZXQgZGVsZXRlZCB3aGVuIGEgcGVuZGluZyByZXZpZXcgZnJvbSB0aGF0IHJldmlld2VyIGdldHMgc3VibWl0dGVkLCBhbmQgYnJva2VuIHJldmlldyByZXF1ZXN0cyBpbiBhbHJlYWR5IGV4aXN0aW5nIGRhdGEgY2FuIGJlIG5vcm1hbGx5IHJlbW92ZWQgdmlhIHRoZSBVSS4=-->When a review was created as pending and then submitted, the review request wasn't deleted. These review requests couldn't be removed, as the now existing review shadowed the review request. Now, review requests get deleted when a pending review from that reviewer gets submitted, and broken review requests in already existing data can be normally removed via the UI.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12446) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12452)): <!--number 12452 --><!--line 0 --><!--description Zml4OiBtYWtlIHBhY2thZ2UgY2xlYW51cCB3b3JrIGFnYWlu-->fix: make package cleanup work again<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12370) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12422)): <!--number 12422 --><!--line 0 --><!--description Zml4OiBjbGVhbnVwIGRhdGEgYmVmb3JlIG1pZ3JhdGlvbiByZXRyeQ==-->fix: cleanup data before migration retry<!--description-->
+- Included for completeness but not user-facing (chores, etc.)
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12382) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12533)): <!--number 12533 --><!--line 0 --><!--description Zml4KGFjdGl2aXR5cHViKTogb25seSByZXR1cm4gcHVibGljIGFjdGl2aXRpZXMgb24gcmVxdWVzdCAoIzEyMzgyKQ==-->fix(activitypub): only return public activities on request (#12382)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12531): <!--number 12531 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWVybWFpZCB0byB2MTEuMTUuMCBbU0VDVVJJVFldICh2MTUuMC9mb3JnZWpvKQ==-->Update dependency mermaid to v11.15.0 [SECURITY] (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12503): <!--number 12503 --><!--line 0 --><!--description Y2hvcmU6IFBHUCBzaWduIC53ZWxsLWtub3duL3NlY3VyaXR5LnR4dCBbc2tpcCBjaV0=-->chore: PGP sign .well-known/security.txt [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12465): <!--number 12465 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvbmV0IHRvIHYwLjUzLjAgW1NFQ1VSSVRZXSAodjE1LjAvZm9yZ2Vqbyk=-->Update module golang.org/x/net to v0.53.0 [SECURITY] (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12433) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12467)): <!--number 12467 --><!--line 0 --><!--description W3BhZ3VyZV0gZW5zdXJlIG1vdmluZyBhbGwgY29tbWl0cyBpbiBhIHB1bGwgcmVxdWVzdA==-->[pagure] ensure moving all commits in a pull request<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12231) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12468)): <!--number 12468 --><!--line 0 --><!--description cmVmYWN0b3I6IGNsYXJpZnkgZm91ciBkaWZmZXJlbnQgb3V0cHV0cyB0aGF0IGF1dGhlbnRpY2F0aW9uIG1ldGhvZHMgcHJvdmlkZQ==-->refactor: clarify four different outputs that authentication methods provide<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12202) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12462)): <!--number 12462 --><!--line 0 --><!--description cmVmYWN0b3I6IGNoYW5nZSBhdXRoZW50aWNhdGlvbiB0byByZXR1cm4gc3RydWN0dXJlZCBkYXRh-->refactor: change authentication to return structured data<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12456): <!--number 12456 --><!--line 0 --><!--description VXBkYXRlIGdvIHRvb2xjaGFpbiBkaXJlY3RpdmUgdG8gdjEuMjYuMyAodjE1LjAvZm9yZ2Vqbyk=-->Update go toolchain directive to v1.26.3 (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12351) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12395)): <!--number 12395 --><!--line 0 --><!--description Zml4OiBnZXQgdGFnIG11c3QgcmV0dXJuIHRoZSB0YWcgc2lnbmF0dXJlIGluc3RlYWQgb2YgY29tbWl0IHNpZ25hdHVyZQ==-->fix: get tag must return the tag signature instead of commit signature<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12357) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12362)): <!--number 12362 --><!--line 0 --><!--description Zml4OiBzZXQgYHJlcG9faWRgIGZvciBtaWdyYXRlZCBhdHRhY2htZW50-->fix: set `repo_id` for migrated attachment<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12291) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12354)): <!--number 12354 --><!--line 0 --><!--description Zml4KG9hdXRoKTogb25seSBhY2NlcHQgcmVmcmVzaCB0b2tlbnMgYXMgcmVmcmVzaCB0b2tlbnM=-->fix(oauth): only accept refresh tokens as refresh tokens<!--description-->
+<!--end release-notes-assistant-->