Releases: bun4uk/chadmin
Release list
v2.1.0 — ClickHouse Cloud private endpoint support
Adds opt-in support for connecting to ClickHouse Cloud services over their private endpoint (AWS PrivateLink / GCP Private Service Connect / Azure Private Link) instead of the public endpoint.
What's new
- New env var
CLICKHOUSE_CLOUD_USE_PRIVATE_DNS(defaultfalse). When enabled, each Cloud service's data-plane host is resolved to its private DNS hostname. - The hostname is fetched per service from the control-plane endpoint
GET /v1/organizations/{org}/services/{id}/privateEndpointConfig— a control-plane call that never wakes an idle service. - Resolved hostnames are cached (positive 300s, negative 30s) and fall back to the public endpoint when no private endpoint is configured or the lookup fails.
- The private host also feeds the idle-wake
/ping, so wake actions stay on the private network too.
Enable only when chadmin runs inside the VPC/network where the private DNS hostname resolves.
Upgrade
No action required — the feature is off by default. To turn it on, set CLICKHOUSE_CLOUD_USE_PRIVATE_DNS=true.
Docker images (multi-arch amd64/arm64):
bun4uk/chadmin:2.1.0/bun4uk/chadmin:latestghcr.io/bun4uk/chadmin:2.1.0/ghcr.io/bun4uk/chadmin:latest
v2.0.3 — security patch (Symfony, Vite & Twig CVEs)
Remediates all twelve Dependabot advisories reported against bun4uk/chadmin since v2.0.2, plus five Twig sandbox CVEs surfaced by composer audit. Dependency bumps only — no application behavior changes.
npm — vite 8.0.9 → 8.0.16
| Severity | Advisory | Summary |
|---|---|---|
| high | GHSA-fx2h-pf6j-xcff (CVE-2026-53571) | server.fs.deny bypass on Windows alternate paths |
| medium | GHSA-v6wh-96g9-6wx3 (CVE-2026-53632) | launch-editor NTLMv2 hash disclosure via UNC path handling on Windows |
composer — Symfony (→ 8.0.13 / 8.0.12)
| Severity | Advisory | Package | Summary |
|---|---|---|---|
| high | GHSA-m7v2-7gxm-vc2v (CVE-2026-45077) | symfony/monolog-bridge | Unauthenticated PHP object deserialization in MonologBridge server:log listener |
| medium | GHSA-38cx-cq6f-5755 (CVE-2026-48736) | symfony/http-foundation | IpUtils::PRIVATE_SUBNETS omits IPv6 transition forms → SSRF bypass in NoPrivateNetworkHttpClient |
| medium | GHSA-6439-2f28-8p8q (CVE-2026-45075) | symfony/http-kernel | HEAD request bypasses methods: ['GET'] filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] |
| medium | GHSA-6qh9-h6wf-jgqc (CVE-2026-45073) | symfony/cache | SQL injection in PdoAdapter::doClear() via unsanitized $prefix |
| low | GHSA-hmr5-2xcr-v8pp (CVE-2026-45072) | symfony/web-profiler-bundle | Stored XSS in CodeExtension::fileExcerpt() (unescaped non-PHP file rendering) |
| low | GHSA-c2p3-7m5p-cv8x (CVE-2026-45133) | symfony/yaml | Parser hardening when handling untrusted input |
| low | GHSA-4qpc-3hr4-r2p4 (CVE-2026-45304) | symfony/yaml | Exponential memory allocation via recursive collection-alias |
| low | GHSA-9frc-8383-795m (CVE-2026-45305) | symfony/yaml | ReDoS via catastrophic backtracking in Parser::cleanup() regex |
symfony/routing and symfony/http-kernel are also bumped to 8.0.13 transitively. The Symfony tree is re-resolved to the latest 8.0.x to honor the project's ~8.0.0 constraint.
composer — Twig twig/twig 3.26.0 → 3.27.1
Surfaced by composer audit (not yet flagged by Dependabot). Five sandbox-bypass advisories, all fixed in 3.27.0:
- CVE-2026-48808 — sandbox property allowlist bypass via the
columnfilter underSourcePolicyInterface - CVE-2026-48807 — sandbox
__toString()policy bypass viaTraversableinjoin/replaceandin/not in - CVE-2026-48806 — sandbox
__toString()policy bypass via dynamic mapping keys - CVE-2026-48805 — sandbox state regression in deprecated internal wrappers
- CVE-2026-46636 — sandbox filter/tag/function allow-list bypass when sandbox state changes between renders
Notes
Chadmin renders only its own first-party Twig templates and does not use the Twig sandbox, so the sandbox CVEs are not exploitable here — the bump keeps composer audit and Docker image scanners green. composer audit --locked reports no advisories. Also includes a demo fix: the elapsed-time counter no longer stops incrementing.
Images
- Docker Hub:
docker pull bun4uk/chadmin:2.0.3(also2.0,2,latest) - GHCR:
docker pull ghcr.io/bun4uk/chadmin:2.0.3
v2.0.2 — security patch (Twig CVEs)
Remediates seven advisories reported by Dependabot against bun4uk/chadmin by bumping twig/twig from 3.24.0 → 3.26.0 (composer).
| Severity | Advisory | Summary |
|---|---|---|
| critical | GHSA-7p85-w9px-jpjp | PHP code injection via {% use %} template name |
| high | GHSA-45vw-wh46-2vx8 | RCE via _self.(<string>) macro reference compilation |
| high | GHSA-mm6w-gr99-p3jj | Sandbox bypass via object-destructuring assignment |
| medium | GHSA-7fxw-r6jv-74c8 | {% sandbox %}{% include %} skips checkSecurity() on cached templates |
| medium | GHSA-24x9-r6q4-q93w | template_from_string() escapes a SourcePolicy sandbox via synthesized name |
| low | GHSA-vcc8-phrv-43wj | Sandbox property allowlist bypass via the column filter |
| low | GHSA-4j38-f5cw-54h7 | spaceless filter implicitly marks its output as safe |
Transitive composer bumps
symfony/deprecation-contracts3.6.0 → 3.7.0symfony/polyfill-ctype1.36.0 → 1.37.0symfony/polyfill-mbstring1.36.0 → 1.37.0
Notes
Chadmin does not use the Twig sandbox at runtime, so there is no behavior change. The bump is published to silence Dependabot and keep Docker scanners green.
Images
- Docker Hub: `docker pull bun4uk/chadmin:2.0.2` (also `2.0`, `2`, `latest`)
- GHCR: `docker pull ghcr.io/bun4uk/chadmin:2.0.2`
v2.0.1 — security patch (Docker Hub CVE false positives)
Patch release: clears two false-positive vulnerability findings reported by Docker Hub against bun4uk/chadmin:2.0.0, and adopts the consolidated Dockerfile refactor merged via #2.
What changed
- #2 by @everythings-gonna-be-alright — Single multi-stage
docker/Dockerfilewithbase(php-fpm only) andaio(php-fpm + nginx + supervisord) targets. AIO image now runs as the unprivilegedchadminuser (UID 1984).docker/dev+docker/prodconfigs consolidated underdocker/configs/. - CVE-2023-27482 (Home Assistant Supervisor name collision with Alpine
apk:supervisor) — declarednot_affectedvia OpenVEX (vex/chadmin.openvex.json), attached to the published image as a sigstore attestation by the publish workflow. - CVE-2026-24049 (
wheel.cli.unpackpath traversal) — cleared by removing the vendoredwheel-*.dist-infoinsidepy3-setuptools. The vendored copy is metadata only — no Python source — so removal is safe; setuptools ≥70.1 uses its ownbdist_wheeland never imports_vendor/wheelat runtime. Same CVE is also declarednot_affectedin the OpenVEX statement as a backup.
Docker
docker pull bun4uk/chadmin:2.0.1 # or :latestDrop-in upgrade from 2.0.0 — no behaviour changes.
v2.0.0 — Multi-topology rewrite
After 5 years of dormancy, chadmin is back with a complete rewrite. New stack, new UI, new capabilities — see https://github.com/bun4uk/chadmin#readme for usage.
Highlights
- Multi-topology auto-detection — works against a single ClickHouse node, a self-hosted cluster, or ClickHouse Cloud. No manual switch — chadmin probes
system.clustersand reads Cloud API credentials to decide. - ClickHouse Cloud support — list services across organizations, see live state (running/idle/stopped/awaking), wake idle services from the UI, deep-link to a warehouse/service via URL params.
- Users & Access page — inspect ClickHouse users and drop them, per-target.
- Modernized stack — PHP 8.5 / Symfony 8.0 backend, React 19 + TypeScript + Vite 8 + Tailwind 4 frontend with
@clickhouse/click-ui. - Smart polling — pauses on hidden tabs so background tabs don't keep idle Cloud services warm.
- Theme toggle — light/dark, persisted per browser.
Docker
Public multi-arch image (linux/amd64 + linux/arm64) on Docker Hub:
docker pull bun4uk/chadmin:2.0.0 # or :latestCloses
- #1 — Create ready to run docker container (open since 2021)
License
Now MIT.
Note
Not an in-place upgrade from v0.1 — full rewrite. Start fresh from .env.example + docker-compose.yml.