v8.2.1

Features

• Add toot:discoverable support for actors

Bug fixes

• Handle PNPM store directory change, fixing ERR_PNPM_UNEXPECTED_STORE crash
• Better conversion to square thumbnail of landscape thumbnails
• Fix running again object storage move job on videos that are already in object storage when using npm run create-move-video-storage-job
• Fix uploading HLS caption after transcoding
• Fix broken schema.org tag with special chars

v8.2.0

Blog post: https://joinpeertube.org/news/release-8.2

SECURITY

Please read the v8.1.8 IMPORTANT NOTES, which explain that the vulnerability fixed in v8.1.6 has been actively exploited

IMPORTANT NOTES

• Follow v8.1.0 IMPORTANT NOTES if you upgrade from PeerTube <= v8.0.2
• Remove NodeJS 20 support. Please upgrade to NodeJS 22 (>= 22.12) before upgrading PeerTube
• The public access of /api/v1/accounts API endpoint is deprecated for privacy reasons and will be behind an admin/moderator auth access in PeerTube v9, planned for the end of 2027
• iOS versions < 15.4 are not supported anymore

NGINX

• Fix an important NGINX I/O issue when users download a video: 5fa456e
  Please upgrade your NGINX configuration

Sysadmin

• prune-storage script can now be run without stopping PeerTube
• Add video privacy tag for peertube_videos_total OTEL metric

Configuration

This section is not exhaustive

• Add download.max_total_bytes_per_second and download.max_bytes_per_ip_per_second configuration keys to throttle video downloads.
  These new keys help prevent instability when botnets download the entire PeerTube catalog
• Add ability to provide cookies to yt-dlp #7510.
  See the documentation for more information: https://docs.joinpeertube.org/maintain/configuration#use-cookies-for-youtube-imports-when-needed
• Increase the default refresh token lifetime oauth2.token_lifetime.refresh_token to 4 weeks (instead of 2 weeks)
• Allow admins to configure the default state of the Automatically publish a replay when your live ends option #7414

Docker

• The entire PeerTube configuration can be set using environment variables.
  Keep in mind that environment variable configuration keys override web admin configuration

Plugins/Themes/Embed API

• Add server plugin hooks (https://docs.joinpeertube.org/api/plugins):
  • filter:api.user.signup.requires-approval.result
  • filter:notifier.notification.enabled.result
• Add a server plugin helper:
  • storageManager.deleteData(key: string)

Features

• 🎉 Add ability to transfer a video channel to another user of the same instance 🎉
• 🎉 Add live DVR allowing users to seek within and pause the live #7396 🎉
• 🎉 Add ability to remove segments of a video in Studio 🎉
• Support Romanian and Korean languages in web client
• Improve video ownership change UX:
  • Better table UI in My Videos -> More -> Ownership changes. It also lists ownership change requests for users' videos
  • The video management page now includes a section to transfer ownership of a video and cancel a pending request
  • Add notifications when video ownership is requested/accepted/rejected
  • Add bulk actions to accept/reject an ownership change request
• Player:
  • Restore playback rates and manual video resolution choice between sessions in the same web browser
  • Add ability to flip the video horizontally #7478
  • Redesign loading spinner
• Support podcast feed for playlists
• Add video download stats for video makers #7437
• Improve global UX:
  • Introduce a new table filter component that is simpler to use
  • Default runner job route is the page that lists runner jobs
  • Clicking on a type/state tag automatically filters data for local/runner job states and types, follow states, registration states, and user roles
  • Add video tag information and filter when listing my videos
  • Add ability to bulk accept/reject registration requests
  • Add ability to filter users by role in users overview
  • Improve comments UI on mobile
  • Display subscribe button when subscription state is loaded
  • Add g p hotkeys to go to My playlists page
• Improve videos overview for admins:
  • Add ability to filter videos by state
  • Add a mute badge if the video owner is muted by the instance
  • Add ability to filter out videos from muted accounts
• Improve video blocks overview for admins:
  • Add video privacy column
  • Add bulk actions to unblock, switch to manual block or delete the selected videos
  • Add a mute badge if the video owner is muted by the instance
• Improve abuses overview for admins:
  • Add bulk action to update internal note, mark as accepted/rejected, delete report, mute reporter/reportee, block/unblock the video, delete the video/comment
  • Add a mute badge if the reporter/reportee is muted by the instance
• Improve comments overview for admins and users:
  • Clicking on account name filters comments
  • Add a mute badge if the account that commented the video is muted by the instance
  • Add ability to filter out comments from muted accounts
• Performance:
  • Reduce SQL joins when loading a video from the database
  • Faster video SQL query to retrieve my videos
  • Faster video comments SQL queries for users that list comments on their videos
  • Faster video redundancies SQL queries
  • Reduce number of rows returned by video SQL queries
  • Reduce number of rows returned by comments SQL queries
  • Faster loading of My channels page
  • Add /about endpoint caching in the client to reduce unnecessary API calls
  • Process ActivityPub View and Download activities in parallel
  • Forward ActivityPub View using parallel broadcast
• Support ActivityPub indexable field for actors
• Expose runner and runner job queue OpenTelemetry metrics #7469
• Prevent stale follows by periodically re-sending Follow ActivityPub requests to remote instances
• Improve follows reliability algorithm to reject followers that have been consistently down for ~7 days
• Add .m4b audio file support

Bug fixes

• Fix plugin settings to display default values when not configured in the DB #7484
• Fix actor host link in miniature instance dropdown if search index is disabled
• Fix missing stream error handling in web video object storage proxy #7535
• Fix caption filename overflow
• Fix setting a thumbnail from a video that is stored in object storage
• Fix instance redundancies pagination
• Filter out non-text languages for captions
• Increase lazy static files cache time (thumbnails, captions, actor avatars/banners, etc.) to 1 year
• Correctly log uncaught exceptions or unhandled promise rejections in file logger
• Prevent page scrolling when applying filters while browsing instance/account/channel videos
• Fix infinite scroll when listing my followers
• Handle errors when updating a video playlist
• Fix download filename if the video contains non-Latin characters
• Fix font colors in emails by only injecting custom admin colors when the default theme is light-beige or dark-brown, to prevent accessibility issues
• Fix broken audio stream P2P for lives
• Fix broke HLS transcoding on concurrent video privacy change
• Don't unpause the player when clicking on a transcription segment
• Fix table page navigation on registration action
• More robust playlist thumbnails updater
• Fix concurrency issue when writing live sha segments
• Fix concurrency issue when uploading the same torrent filename
• Fix column varchar lengths

v8.2.0-rc.3

SECURITY

• Include security fixes from 8.1.8 and bug fixes from 8.1.7

v8.1.8

IMPORTANT NOTES

⚠️ Follow v8.1.0 IMPORTANT NOTES if you upgrade from PeerTube <= v8.0.2 ⚠️

We have learned that the SQL injection vulnerability fixed in v8.1.6 has been exploited at scale since at least May 18, 2026 and so before the v8.1.6 release.
According to our investigation, the attacker exploited this SQL injection to generate a token for the root user and install the peertube-plugin-google-analytics-js plugin. This plugin imports a client script from hxxps://www.googie-anaiytics.com/jquery.ui.js that currently only logs a line in the web browser.

Actions taken by this release:

• Automatically remove peertube-plugin-google-analytics-js in v8.1.8
• Invalidate OAuth tokens in v8.1.8 (all users must log in again)
• Add a new user.disable_root_auth config key to disable root token usage
• Remove the plugin from the plugin registry

Actions taken by Framasoft:

• Report googie-anaiytics.com to the registrar
• Send a contact-form message to public PeerTube instances
• Release additional versions if we observe other attack vectors
• A CVE is being requested for the SQL injection

Actions admins must take:

• Upgrade to v8.1.8 as soon as possible
• Review newly created users and videos
• Review your instance configuration, especially Configuration -> Customization -> JavaScript/CSS
• Review installed plugins
• Generate new tokens for your runners

If you cannot upgrade to v8.1.8:

1. Remove actor follows that contain the 20.240.202.159 URL:

• Find them: SELECT * FROM "actorFollow" WHERE "url" LIKE '%20.240.202.159%'
• Delete them: DELETE FROM "actorFollow" WHERE "id" = ...

2. Remove actors that contain a ' character in inboxUrl:

• Find them: SELECT * FROM "actor" WHERE "inboxUrl" LIKE '%''%'
• Delete them: DELETE FROM "actor" WHERE "id" = ...

3. Invalidate OAuth tokens: UPDATE "oAuthToken" SET "accessTokenExpiresAt" = NOW(), "refreshTokenExpiresAt" = NOW() WHERE "accessTokenExpiresAt" > NOW() OR "refreshTokenExpiresAt" > NOW()
4. Remove peertube-plugin-google-analytics-js from instance plugins
5. Disable federation in production.yaml by setting federation.enabled to false
6. Restart PeerTube

v8.1.7

Bug fixes

• Fix broken URL import
• Fix user quota check for imports
• Fix removing notifications from muted accounts

v8.2.0-rc.2

SECURITY

• Include security fixes from 8.1.6

Features

• Add g p hotkey to go to my playlists
• Add .m4b audio file support

Bug fixes

• More robust playlist thumbnails updater
• Fix concurrency issue when writing live sha segments
• Fix concurrency issue when uploading the same torrent filename
• Fix column varchar lengths

v8.1.6

IMPORTANT NOTES

• Follow v8.1.0 IMPORTANT NOTES if you upgrade from PeerTube <= v8.0.2

SECURITY

• Fix SQL injection coming from actor inbox URL when updating actor follow scores. Thanks to Nagarajan Selvaraj Paulmony for reporting this vulnerability 🙏
• Reject JSON-LD objects with special properties. Thanks to Mastodon security team for reporting this vulnerability 🙏
• Restricts role assignment to administrators only
• Prevent external auth token replay
• Prevent SSRF on import and channel sync
• Stricter rate limit to ask password reset

v8.2.0-rc.1

IMPORTANT NOTES

• Remove NodeJS 20 support. Please upgrade to NodeJS 22 (>= 22.12) before upgrading PeerTube
• The public access of /api/v1/accounts API endpoint is deprecated for privacy reasons and will be behind an admin/moderator auth access in PeerTube v9, planned for the end of 2027
• iOS versions < 15.4 are not supported anymore

NGINX

• Fix an important NGINX I/O issue when users download a video: 5fa456e
  Please upgrade your NGINX configuration

Sysadmin

• prune-storage script can now be run without stopping PeerTube
• Add video pivacy tag for peertube_videos_total OTEL metric

Configuration

This section is not exhaustive

• Add download.max_total_bytes_per_second and download.max_bytes_per_ip_per_second configuration keys to throttle video downloads.
  These new keys help prevent instability when botnets download the entire PeerTube catalog
• Add ability to provide cookies to yt-dlp #7510.
  See the documentation for more information: https://docs.joinpeertube.org/maintain/configuration#use-cookies-for-youtube-imports-when-needed
• Increase the default refresh token lifetime oauth2.token_lifetime.refresh_token to 4 weeks (instead of 2 weeks)
• Allow admins to configure the default state of the Automatically publish a replay when your live ends option #7414

Docker

• The entire PeerTube configuration can be set using environment variables.
  Keep in mind that environment variable configuration keys override web admin configuration

Plugins/Themes/Embed API

• Add server plugin hooks (https://docs.joinpeertube.org/api/plugins):
  • filter:api.user.signup.requires-approval.result
  • filter:notifier.notification.enabled.result
• Add a server plugin helper:
  • storageManager.deleteData(key: string)

Features

• 🎉 Add ability to transfer a video channel to another user of the same instance 🎉
• 🎉 Add live DVR allowing users to seek within and pause the live #7396 🎉
• 🎉 Add ability to remove segments of a video in Studio 🎉
• Support Romanian and Korean languages in web client
• Improve video ownership change UX:
  • Better table UI in My Videos -> More -> Ownership changes. It also lists ownership change requests for users' videos
  • The video management page now includes a section to transfer ownership of a video and cancel a pending request
  • Add notifications when video ownership is requested/accepted/rejected
  • Add bulk actions to accept/reject an ownership change request
• Player:
  • Restore playback rates and manual video resolution choice between sessions in the same web browser
  • Add ability to flip the video horizontally #7478
  • Redesign loading spinner
• Support podcast feed for playlists
• Add video download stats for video makers #7437
• Improve global UX:
  • Introduce a new table filter component that is simpler to use
  • Default runner job route is the page that lists runner jobs
  • Clicking on a type/state tag automatically filters data for local/runner job states and types, follow states, registration states, and user roles
  • Add video tag information and filter when listing my videos
  • Add ability to bulk accept/reject registration requests
  • Add ability to filter users by role in users overview
  • Improve comments UI on mobile
  • Display subscribe button when subscription state is loaded
  • Add g p hotkeys to go to My playlists page
• Improve videos overview for admins:
  • Add ability to filter videos by state
  • Add a mute badge if the video owner is muted by the instance
  • Add ability to filter out videos from muted accounts
• Improve video blocks overview for admins:
  • Add video privacy column
  • Add bulk actions to unblock, switch to manual block or delete the selected videos
  • Add a mute badge if the video owner is muted by the instance
• Improve abuses overview for admins:
  • Add bulk action to update internal note, mark as accepted/rejected, delete report, mute reporter/reportee, block/unblock the video, delete the video/comment
  • Add a mute badge if the reporter/reportee is muted by the instance
• Improve comments overview for admins and users:
  • Clicking on account name filters comments
  • Add a mute badge if the account that commented the video is muted by the instance
  • Add ability to filter out comments from muted accounts
• Performance:
  • Reduce SQL joins when loading a video from the database
  • Faster video SQL query to retrieve my videos
  • Faster video comments SQL queries for users that list comments on their videos
  • Faster video redundancies SQL queries
  • Reduce number of rows returned by video SQL queries
  • Reduce number of rows returned by comments SQL queries
  • Faster loading of My channels page
  • Add /about endpoint caching in the client to reduce unnecessary API calls
  • Process ActivityPub View and Download activities in parallel
  • Forward ActivityPub View using parallel broadcast
• Support ActivityPub indexable field for actors
• Expose runner and runner job queue OpenTelemetry metrics #7469
• Prevent stale follows by periodically re-sending Follow ActivityPub requests to remote instances
• Improve follows reliability algorithm to reject followers that have been consistently down for ~7 days

Bug fixes

• Fix plugin settings to display default values when not configured in the DB #7484
• Fix actor host link in miniature instance dropdown if search index is disabled
• Fix missing stream error handling in web video object storage proxy #7535
• Fix caption filename overflow
• Fix setting a thumbnail from a video that is stored in object storage
• Fix instance redundancies pagination
• Filter out non-text languages for captions
• Increase lazy static files cache time (thumbnails, captions, actor avatars/banners, etc.) to 1 year
• Correctly log uncaught exceptions or unhandled promise rejections in file logger
• Prevent page scrolling when applying filters while browsing instance/account/channel videos
• Fix infinite scroll when listing my followers
• Handle errors when updating a video playlist
• Fix download filename if the video contains non-Latin characters
• Fix font colors in emails by only injecting custom admin colors when the default theme is light-beige or dark-brown, to prevent accessibility issues
• Fix broken audio stream P2P for lives
• Fix broke HLS transcoding on concurrent video privacy change
• Don't unpause the player when clicking on a transcription segment
• Fix table page navigation on registration action

v8.1.5

IMPORTANT NOTES

• Follow v8.1.0 IMPORTANT NOTES if you upgrade from PeerTube <= v8.0.2

Bug fixes

• Fix infinite loop when processing some GIF images
• Correctly inject custom admin colors in dark theme
• Fix broken player when loading the page in background

v8.1.4

IMPORTANT NOTES

• Follow v8.1.0 IMPORTANT NOTES if you upgrade from PeerTube <= v8.0.2

Bug fixes

• Don't fetch too big image sizes for thumbnails
• Prevent the player from crashing when the user quits the watch page
• Prevent invalid start/end timecode when cutting the video in studio
• Fix blocklist error when listing many users
• Fix broken transcoding when remote runners is enabled