Open OnDemand version 4.1 is now available as version 4.1.1. Thank you to all of the community members who contributed code, suggestions, bug reports, documentation, and other assistance across the project, including the 44 first-time contributors across several core Open OnDemand GitHub repositories.
We’d like to recognize the following contributors for their significant contributions to the 4.1 release:
- Alan Sussman and Harshit Soora (University of Maryland)
- Robert Henschel, Mattias Reuterskiöld, William Sjöblom, and Jean Zagonel (Cendio AB)
- Jonathan Goodson (NIH)
- Leonard Wisniewski, Phil Durbin, Aday Bujeda, William Horka, Michael Reekie, and the Harvard University IQSS and Dataverse teams
Please see the Acknowledgements section of the release notes for more details on their contributions.
Release Overview
This release brings significant enhancements, new features, deprecations, and dependency updates. Version 4.1 also introduces an Accessibility Conformance Report (ACR) and a Software Bill of Materials (SBOM). Links are provided at the end of this announcement.
Changes That May Impact Your Site / Breaking Changes
- NodeJS has been upgraded from version 20 to version 22. Centers with Passenger apps that rely on NodeJS need to either recompile to version 22 or provide an override for the node binary.
- Support has been added for RHEL, Rocky Linux, and AlmaLinux 10.
- Support for Ubuntu 20.04 has been removed.
Deprecations
The Job Composer is being deprecated and replaced by the Project Manager, which is now enabled by default. The Job Composer will remain available through Open OnDemand version 5.0 but will receive no new features and only critical maintenance updates.
Dependency Updates
- Passenger 6.1.0
- NGINX 1.26.3
ondemand-dex 2.44.0
- NodeJS 22
Several Highlights of version 4.1.1
- Project Manager enhancements. The Project Manager is now available by default and includes expanded workflow and collaborative project capabilities.
- New Module Browser. Users can search and view available modules and module versions across clusters.
- Notifications for Interactive Apps. Users can now receive a browser notification when an interactive session starts.
- HTML file viewing. Centers can enable the file browser to directly render HTML files.
- ServiceNow integration for support tickets. Support requests can now be sent to ServiceNow.
- Interactive App caching. Interactive Applications are now cached, shortening the load time for pages like ‘My Interactive Sessions’.
- Support for TLS/SSL origins. Open OnDemand now supports the ability to proxy to interactive applications over HTTPS.
Additional Resources
For a detailed list of changes, please see the 4.1 release notes or the changelog.
Finally, we recommend testing the upgrade in a development or test environment before deploying to production. Step-by-step upgrade instructions for version 4.1.1 are available in the release notes.
3 Likes
Open OnDemand 4.1.3 is now available. Thank you to all community members who contributed code, suggestions, bug reports, and other assistance across the project.
Release Overview
This release includes several bug fixes and usability improvements. For a full list of changes, please see the changelog. To compare versions 4.1.1 and 4.1.3, please see this comparison link.
Security:
-
Resolves CVE-2026-26002. This version resolves a security issue related to malicious input when navigating to directories.
-
Updates NodeJS and Ruby dependencies with CVEs. This version updates rubygems rack, faraday and nokogiri which had some CVEs associated with them. It also updates the NodeJS package qs which had a CVE associated with it.
Fixed:
- Fixed an issue deleting jobs from the ActiveJobs page. Users can now successfully delete jobs from the ActiveJobs page.
1 Like
Open OnDemand 4.1.4 is also available. We are releasing two patch updates today for the 4.1 series.
Special note: This is an expedited patch release to address a compatibility issue between the Open OnDemand Shell app and Firefox 148. The issue impacts shell access for sites using that browser version.
To ensure the community has a timely fix, we shortened our normal testing window on OSC systems. This release has undergone manual testing and validation, but it has not yet been promoted to full production at OSC.
This patch also fixes a bug that disabled navigational directory links in the file browser for users with downloads_enabled: false. The fix restores the ability to view directory contents and navigate the file system while still preventing file viewing or downloads.
For a full list of changes, please see the changelog. To compare versions 4.1.3 and 4.1.4, please see this comparison link.
1 Like
Open OnDemand 4.1.5 is now available. Thank you to all community members who contributed code, suggestions, bug reports, and other assistance across the project.
Release Overview
This release includes several bug and security fixes. For a full list of changes, please see the changelog. To compare versions 4.1.4 and 4.1.5, please see this comparison link.
Bug Fixes
- Edit links in the Files app are no longer served when file downloads are disabled.
- Fixed URL encoding for filenames containing special characters such as
# and + in the Files app, resolving broken edit and download links for those files. Path handling for encoded filenames in the path_selector was also corrected as part of this fix.
- The project form wasn’t detecting changes made via the path_selector widget, so the group and setgid options would not update as expected. That’s now fixed.
Security
- This version resolves a security issue where the HSTS header, which tells browsers to always use a secure HTTPS connection rather than plain HTTP, was not always being set in
NGINX. Previously, this could be missed depending on your configuration, so we’ve made it unconditional. Thank you to @karcaw for identifying this issue and submitting the PR that fixed it.
- Resolved CVE-2026-44371. In previous versions, specially crafted filenames can execute javascript in the file browser. This has been fixed in this release. Thank you to @irateChiapet for reporting this vulnerability and working with us on the fix.
Dependency Notes
These packages have known security alerts, but the patched versions require compatibility breaking changes, so they are not included in this patch release. The fixes are included in Open OnDemand 4.2, which is planned for mid-May.
Handlebars 4.7.7
Rails 7.1.6 (including Activesupport, ActiveStorage, and Actionview)
Braces 2.3.2
turbo-rails 7.3.0
Special Note
This release has undergone manual testing and validation, but it has not yet been promoted to full production at OSC because we are currently running version 4.2 internally.
Open OnDemand 4.1.6 is now available. Thank you to all community members who contributed code, suggestions, bug reports, and other assistance across the project.
Release Overview
This release contains security fixes, bug fixes, and dependency updates. For a full list of changes, please see the changelog. To compare versions 4.1.5 and 4.1.6, please see this comparison link.
Breaking Changes and Changes That Will Affect Your Site
-
Sites using OIDC authentication must explicitly set oidc_crypto_passphrase in ood_portal.yml before upgrading. As part of the fix for CVE-2026-55171, Open OnDemand no longer provides a default value for OIDCCryptoPassphrase. If this value is not set, Apache will start but will be unable to apply new configurations from ood_portal.yml, meaning the CVE mitigation will not take effect and your site will remain vulnerable. This failure is silent because Apache will continue running on its old configuration without obvious interruption, so check your logs to confirm configurations were applied successfully. If you missed this step before upgrading, you can set the value after the fact and reconfigure.
-
RHEL-based sites not using Puppet to install OOD should update access to /var/log/ondemand-nginx using a filesystem ACL (FACL). As part of the fix for CVE-2026-55169, OOD now changes the ownership of this directory on RHEL systems, which may remove access for staff members who previously had it. Debian packages and Puppet-managed installs already handle this correctly and are not affected. The command to do this is setfacl -m g:groupname:rx /var/log/ondemand-nginx where groupname needs to be replaced with the actual group.
Security
-
Resolved CVE-2026-55171. As mentioned above, the default oidc_crypto_passphrase is predictable and unsafe to use. Therefore, OOD no longer provides the default, and Apache will start, but the CVE mitigation will not take effect, and your site will remain vulnerable. The decision to include a fix for this security vulnerability in a patch was made in conjunction with the Open OnDemand Technical Governance Committee. Thank you to kazeruch for reporting this vulnerability.
-
Resolved CVE-2026-55172. The session storage directory now has multiple checks to ensure it is created by the user and owned by the user, falling back to cookies if these checks fail. Previous versions lacked sufficient checks of this directory. Thank you to @irateChiapet for reporting this vulnerability and working with us on the fix.
-
Resolved CVE-2026-55169. Previous versions allowed VNC passwords to be logged in access logs. This release resolves that issue on all systems and hardens that directory on RHEL systems by changing its ownership of /var/log/ondemand-nginx. For details and recommended site action, see the third bullet under “Breaking Changes and Changes That May Affect Your Site.” Thank you again to @irateChiapet for reporting this vulnerability and working with us on the fix.
Bug Fixes
-
Filenames with spaces now correctly link to the File Editor fixing previous behavior of broken links.
-
Fixed dynamic batch connect fields containing underscores. Fields using underscores in their token names were not being normalized correctly and failed to function as expected.
-
Fixed job hash not being saved in Project Manager workflows. A backend fallback now ensures the job hash is saved correctly, so data is not lost between runs.
-
Navigation bar menus work correctly on MacOS/Safari previously fixing rendering behavior where links couldn’t be selected.
-
Display settings in Recently Used Apps now escape HTML.
Dependency Updates
-
We made many Ruby and NodeJS package updates in this patch. Please see the changelog for those details.
-
The ondemand-selinux package no longer requires a specific selinux-policy version, which improves compatibility across supported RHEL operating systems.
TLDR;