Releases: GhostManager/Ghostwriter
Release list
Ghostwriter v7.2.0
Summary
This release brings a major change to evidence management: the full deprecation of finding-level evidence, as promised in v6.0.
When evidence management was first introduced in Ghostwriter, findings were the only supported evidence destination, so evidence was attached directly to individual findings. As Ghostwriter matured and gained new features, such as report sections and observations, users needed to reuse evidence in more places. To support that, we added the option to attach evidence either to a finding or to a report.
Over time, the community identified limitations with this model and asked we simplify it. That time has come, so please be aware of this and communicate the change to your users before upgrading.
The included migrations will convert any finding-level evidence to report evidence. If there happens to be a naming conflict, the migrations will handle that for you. They will also update references in the finding if the evidence's name changes. This should be a rare occurrence because the client enforced unique names across all evidence under a report, but the database technically allowed duplicate names as long as the name was unique for the finding or report.
CHANGELOG
[7.2.0] - 30 June 2026
Added
- Added Playwright as a local dev package for end-to-end testing
- Added evidence metadata parser coverage for collaborative editor evidence loading
Changed
- Breaking: All evidence now attaches to a report object and is available to all findings and other report fields
- XLSX report exports now populate the "Supporting Evidence" column from report evidence references used by each finding
- This includes first-class evidence objects, legacy
{{.Evidence Name}}tags,{{.ref Evidence Name}}references, and{{.caption Evidence Name}}captions
- This includes first-class evidence objects, legacy
- Collaborative editor evidence loading now validates report metadata before querying evidence and keeps the evidence tool disabled only until report-scoped evidence context is ready
- Users can still upload and insert report evidence from finding, observation, and report extra field editors
- Previews of extra fields now more closely match your report configuration
- Image evidence will appear in accordance with your border, image width, and alignment configurations
- Captions will appear above or below evidence based on the configured location
- Text evidence now matches other code blocks as they typically do in the final reports
- They no longer inherit a border based on the border configuration
- They are now the full width of the content instead of bound to the evidence width intended for images
- The extra fields section of the report dashboard now presents fields as cards for easier review and access
- Loading of JSON extra fields is now "lazy" to defend page performance when these fields contain large JSON blobs
- The JSON data is also removed after closing the preview to maintain page performance
Fixed
- Fixed severity colors appearing incorrect in xlsx reports
Removed
- Breaking: Removed finding-level evidence ownership
- Existing finding-owned evidence migrates to the owning report
- In case of friendly name collisions, the migration adjusts the friendly name as needed to preserve both evidence records
- References to renamed migrated evidence update in the source finding's rich-text fields and extra fields
- The evidence upload API and Hasura metadata no longer accept non-empty
findingorfindingIdevidence associations
Ghostwriter v7.1.3
Summary
This release includes an optimization for service tokens that should significantly improve speed for large GraphQL queries that might otherwise timeout through the nginx proxy.
CHANGELOG
[7.1.3] - 26 June 2026
Changed
- Optimized service-token GraphQL user-resolution permissions for large project queries
- Service-token access now resolves related project users through a database-backed access view instead of repeatedly expanding a large Hasura permission tree
- Project and operation log service-token scopes remain unchanged
Fixed
- Fixed icons on filter fields not displaying properly
Ghostwriter 7.1.2
Summary
This release further locks down client-associated report templates based on user feedback. It also includes a small bug fix to improve compatibility with older browsers.
CHANGELOG
[7.1.2] - 24 June 2026
Fixed
- Fixed
datetime-localrendering for white card and deconfliction edit forms so saved timestamps display reliably in older browsers (Closes #917)
Security
- Fixed additional client-scoped report template authorization bypasses in template swapping, report generation, archive generation, linting, and lint result endpoints
- Report template selection now only accepts global templates or templates scoped to the report project's client
- This fix includes two temporary breaking changes for the API while we work on a custom endpoint to handle this new business logic:
- Breaking: The GraphQL API no longer allows
userormanagerroles to set report template ID columns directly when creating or updating reports - Breaking: The GraphQL API no longer allows
userormanagerroles to update a report's project ID column directly
- Breaking: The GraphQL API no longer allows
Ghostwriter v7.1.1
Summary
This release addresses a pair of issues to make Ghostwriter better.
CHANGELOG
[7.1.1] - 18 June 2026
Fixed
- Fixed project collaborative notes failing to load for users with project access (Fixes #913)
- The collaborative editor JWT is now scoped to the project so assigned users, project invitees, client invitees, managers, and admins can edit shared project notes
Security
- Fixed an authorization bypass that allowed authenticated users to download client-scoped report templates by direct URL
- Template downloads now use the same client access check as the template detail page
- Please see security advisory for details: GHSA-hx63-6fvp-4rpv
Ghostwriter v7.1.0
Summary
This release includes a few enhancements for existing features, but the major changes are in the dependencies. Ghostwriter is now updated to Django v5.2. The most noticeable change is the switch to a fork of the docxtpl library. This change introduces a several upstream performance enhancements that will significantly reduce report generation time. In testing, a report with a 2,000 row table generated in under two seconds.
CHANGELOG
[7.1.0] - 16 June 2026
Added
- Added a workflow to check the GraphQL codegen whenever models change to ensure there is no drift (Closes #849)
- Added tracking for the active report in the browser's
localStoragealong with a mechanism to re-activate the report on user login
Changed
- Switched from
docxtplto a Ghostwriter fork to implement performance improvements (Fixes #585; Closes #822)- Implemented changes in the upstream
docxtpldevelopment branch - Will consider returning to using the Pypi package when the new maintainers are able to merge the development changes and begin tagging releases
- Implemented changes in the upstream
- Updated Django to v5.2 with groundwork completed for Django v6.x (Closes #824)
- Going slow with version upgrades to ensure there are no issues with dependencies
- The dashboard calendar will now show all projects accessible to the user (Closes #871)
- For most users, the calendar will not appear to have changed, except for now including more details
- For managers and others with access to more projects, they will now be able to see how all their projects relate to each other in the calendar
- Improved operation log narrative outline insertion for report fields
- Preserves formatted comments, inserts operation log output as code blocks, and keeps linked evidence with matching
{{.ref ...}}lines - Formats commands as inline code and user context as italic text in inserted narrative lines
- Uses only the operation log output field for output blocks, not attached terminal recording text
- Preserves formatted comments, inserts operation log output as code blocks, and keeps linked evidence with matching
Fixed
- Adjusted how the TinyMCE editors load to fix pages sometimes scrolling down to newly initialized TinyMC
Ghostwriter v7.0.2
Summary
Small release to address an evidence listing issue that could affect managers and admins helping with reporting while not assigned to a project.
CHANGELOG
[7.0.2] - 10 June 2026
Fixed
- Fixed evidence listings inside the collab editor for privileged users
- The list of evidence could appear empty for admins and managers if they were not assigned to the related project
- Permissions checked for project data access via invites and assignments, but missed access from the privileged roles
Ghostwriter v7.0.1
Summary
This is a small hotfix for some users who may experience this PostgreSQL error: cannot ALTER TABLE "api_apikey" because it has pending trigger events"
CHANGELOG
[7.0.1] - 10 June 2026
Fixed
- Fixed API database migrations breaking when the existing database has many existing API tokens
Ghostwriter v7.0.0
Summary
This release marks a significant turn in automation. It hardens authentication by replacing user-managed JWT API tokens with opaque gwat_ credentials, adding scoped gwst_ service tokens for non-human integrations, tightening JWT/session validation, and moving service-token GraphQL access to a scoped service role. Existing user-managed JWT API tokens should be re-rolled by rotating them to receive a new opaque API token; changing an API token’s expiry now also generates a replacement token and immediately invalidates the old credential, so dependent automation must be updated with the newly shown token. Admin-created user-bound API tokens should be replaced with either user-created API tokens or scoped service tokens, depending on whether the credential should act as a human user or a non-human service.
Read more here: https://www.ghostwriter.wiki/features/access-authentication-and-session-controls/user-profile-and-tokens
CHANGELOG
[7.0.0] - 3 June 2026
Breaking Changes
- User-managed API tokens are now opaque
gwat_credentials instead of JWTs- Existing user-managed JWT API tokens must be rotated to receive an opaque API token
- API token expiry edits rotate the token prefix, secret hash, and UUID identifier, which immediately invalidates the previous credential
- Django admin can no longer create user-bound API tokens
- Use service principals and service tokens for non-human integrations
- Admin-created user-bound API tokens should be replaced with user-created API tokens or scoped service tokens, depending on whether the credential should act as a user or as a non-human service
- Login and collaborative editor JWTs now use explicit JWT typing and are accepted only by their intended authentication paths
- Collaborative editor JWTs authenticate to Hasura only as a restricted
collabrole for the editor's required read-only queries - Login JWTs require a tracked, unrevoked user session bound by the
jticlaim
- Collaborative editor JWTs authenticate to Hasura only as a restricted
- Service-token GraphQL access now uses the new
servicerole and scoped service-token permissions instead of inheriting a creating user's permissions
Added
- Scoped Service Tokens: Added service principals and service tokens for non-human automation credentials (Closes #881)
- Service principals represent durable integrations or automation services
- Service tokens are opaque
gwst_credentials with hashed secrets, expiration, revocation, and last-used tracking - Service token permissions are assigned to the token instead of inheriting the creating user's permissions
- Added operation log read/write tokens scoped to one operation log and its entries
- Added project read-only tokens scoped to selected projects or all projects the creator can access now and later
- Service Token GraphQL Access: Added a Hasura
servicerole for scoped service-token access- The shared
servicerole exposes a combined service-token schema; each token's grants still determine which protected rows and Actions it can use - Project read access is backed by database views that validate the service token, service principal, creator status, and current project access
- Service tokens can read project-related data, project-linked operation logs, evidence, reports, findings, observations, and public libraries
- Service tokens can call selected read-oriented GraphQL Actions when their token grants allow the target resource, including report generation, evidence and recording downloads, tag lookups, and extra field specs
- The shared
- Added service-token management to the Django admin
- Added documentation for API tokens, service tokens, and service-principal concepts
- Added user-session tracking for login JWTs so administrators can revoke active GraphQL sessions
- Added a management command to clean up expired Django sessions and tracked GraphQL login sessions
Changed
- Reworked the user profile page to organize API tokens and service tokens into clearer cards
- API tokens are described as user-bound automation credentials
- Service tokens are described as scoped non-human credentials
- Expired tokens can be hidden, and that preference is remembered in local storage
- Token expiry dates now use warning styling when expiring within seven days and expired styling after expiration
- API tokens now show last-used timestamps alongside service tokens
- API tokens now have lazy-loaded details modals showing the token user's current project access
- Added profile controls for editing API token and service token expiry dates
- API token expiry edits now generate a replacement opaque token so the previous credential stops working immediately
- Added service-token detail modals that show service principal, project read access, direct operation-log access, stale project grants, and token access summaries
- Improved dark-mode styling for disabled fields
- Made the sidebar toggle tab sticky while scrolling
- Added the
DJANGO_MFA_PASSKEY_LOGIN_ENABLEDenvironment variable for controlling passkey login support - API tokens are now opaque
gwat_credentials with hashed secrets instead of user-managed JWTs- Editing an API token expiry rotates the token prefix, secret hash, and UUID identifier
- Login and collaborative editor JWTs now use explicit JWT typing
- Login JWTs bind their
jticlaim to a tracked user-session identifier - Collaborative editor JWTs use a dedicated token type and restricted Hasura role
- Login JWTs bind their
Fixed
- Fixed observation library create/edit/delete permissions not being checked for the
userrole in the GraphQL API - Fixed token tables showing as empty when Hide Expired hides every API token or service token
- Fixed hyperlinks not working properly in open Office alternatives like LibreOffice (Fixes #890; Thanks to @wexew-ware)
Security
- Updated Django from 4.2.16 to 4.2.30 to address CVE-2026-3902 in
ASGIRequest(Fixes #896) - Added service-token authorization helpers for Django-backed Hasura Actions so service tokens are denied by default unless an action explicitly opts in
- Login JWT validation now checks the tracked user session after verifying the JWT signature and expiration so sessions can be revoked on demand
- Collaborative editor JWTs are restricted to a dedicated Hasura role and accepted by the collaborative editor permission-check endpoint
- API token validation now verifies the opaque token secret against a stored hash and rejects revoked, expired, or inactive-user tokens
- API token expiry edits now invalidate the previous credential and show the replacement token once
- Service-token validation now uses explicit secret-checking terminology internally and keeps full lifecycle validation on the manager path
- Added Hasura metadata validation tests to catch service-role permission drift, legacy service-token headers, and unexpected service mutations
- Added validation for service-token permission resource, action, and constraint combinations
Ghostwriter v6.3.6
Summary
This release fixes an issue with client creation that was introduced in a recent release.
CHANGELOG
[6.3.6] - 26 May 2026
Fixed
- Fixed creating a new client with an incomplete point of contact causing a server error instead of displaying required-field validation errors (Fixes #889)
Ghostwriter v6.3.5
Summary
This small release fixes an issue with the CVSS v4 calculator not aligning with the official CVSS spec as intended.
CHANGELOG
[6.3.5] - 7 May 2026
Fixed
- Fixed "Safety" incorrectly appearing as an option for some fields in the CVSS v4 calculator
- Fixed invalid CVSS vectors preventing report generation